I've just found a big security problem using remote debugger.

Here is an example to illustrate it:

index.php -rwx-r--r--
file1.php -rwx-r-----
file2.php -rwx-r--r--

Say index.php includes file1.php which then includes file2.php.

As you can see with file permissions, file1.php can't be read by a non owner/group user.

Now if I make a project using an SFTP account to download the project files, only files index.php and file2.php are downloaded (as expected).
But if I put a breakpoing into index.php and I step INTO the include('file1.php') this is what happen:
- I get a file permission error (as expected)
- There is a window with a gauge waiting for something
- If I press Cancel on this window, then phpED opens the file1.php and shows the source code!

This means, from my index.php I could include any file from any other directory and see its code through debug.

The above example is simple and only to demonstrate the problem. Thing is, we have several freelance developers that work for our company and we don't want to share all the source codes with them. They have access to certain files through file access rights, we in no way we would them able to see code from other files just by include them in a file they have access to and can debug.

Thanks to advise.

the debugger is a php-module. php runs on the remote site usually with the rights of the webserver user. So if the webserver can read the file also the debugger can read them.

I understand that its a PHP module, thus using the web server user rights.

But the point is, if phpED can't download a file locally using SFTP because of file access rights it should NOT ask the remote debugger to grab the remote source file in order to display it.

To me its a major security issue, because it means that from any source file one can php-include a file he doesn't have access to in order to step-into and watch the code!

sorry, i cant see a problem there. That sounds like you want "security through obscurity". What prevents your developers to use a code like this:

Voxen: the debugger needs to be able to read the source and transmit it. Sometimes you have to debug problems without having the source on your system.
Besides as bruno701 pointed out it is not a DBG problem, but a webserver "problem". If one of your developers really wanted, he/she could just do a file_get_contents on the thing and display it anyway, no debugger needed at all.

If it really is that big of a deal for you, why not use NuCoder or any other similar product to encode the "private" files first and put them on the remote machine like that? We have no readable source on our production servers anyway and the code we share as libraries is always encrypted.

You are absolutely right, one could print the code with file_get_content() call anyway.

Thanks for your answers, I'll probably have to look at NuCoder or other solutions.

Good suggestion! I think this should work. Thanks for sharing!