Source Code Disclosure - PHP

PHP source code is accessible through the web server, typically due to misconfiguration or files served with alternative extensions that bypass PHP processing. This detector identifies when PHP code is returned as plain text instead of being executed.

Disclosed PHP source code exposes sensitive information including database credentials, API keys, encryption secrets, session management logic, and authentication mechanisms. Attackers can analyze the code to identify SQL injection points, authentication bypasses, or business logic flaws. This information significantly reduces the effort required to compromise the application and backend systems.

Ensure that application source code is not available with alternative extensions such as .php.bak, .php~, or .txt. Configure the web server to only execute files with proper PHP extensions and deny access to backup or temporary files. Remove any source code files from publicly accessible directories and implement proper deployment practices that exclude development artifacts.