A moderator of a forum i own did so. I still can't belive on it, and i can't understand how he did it. Can someone explain me? He said he used only HTTP GET requests
The moderator said that the server (nginx) would normally send the output of the executed php files, but since that the files are 777 adding some parameters to the URL he can get the unparsed version of it.
Thanks
If there's a badly written download script on the site then it's as easy as rewriting the url to download any file (including PHP source files). That could be just what he did, so you'd better check if the forum software (and installed 3rd party modules) you are using don't contain any known vulnerabilities.
A properly configured server will only execute .php files, not reveal their source. But a badly configured server CAN serve up the PHP source via a .phps symbolic link pointing at the original file.
Beyond that, query parameters cannot tell PHP to serve up the source, unless the source in question has a backdoor in it, something like:
if (isset($_REQUEST['gimme_the_codez'])) {
readfile($_SERVER['SCRIPT_FILENAME']);
exit();
}
Of course, since the file's mode 777, if you can get into the directory it's in, you can get the file directly, or slap in the backdoor trivially.