php source code is downloaded and not parsed by server


Apr 30, 2011
Hi everyone. We recently setup a new VPS ( CentOS ) virtual server, and are now in the process of transferring accounts. Today we stumbled upon something that worries me.

When surfing to a recently moved account, we did not get to see a nice web-page, but the browser started downloading a file, called "download", without extension. When opened in notepad, the file contained the source php code of the index.php file. The server handled the php file as if it were just a file.

We could reproduce this behavior when we moved accounts that had the option "The PHP file extention will be processed by ... " set to PHP5 in the Php Configuration. On the new VPS, we could not set this option. Only after changing the option to "System default" on the old server and then transferring the account again, the php files were parsed and the website showed.

Old server (shared hosting - cPannel 11.28.52
New server ( VPS - WHM 11.28.87 / CentOS 5.6 )

I'm not sure if this is "by design" or what config files we could have edited to cure the account. Re-transferring it after setting the option at the source did work for us. But my questions are:

Is this a security hole? Can this be fixed without doing the transfer again.



Quality Assurance Analyst
Staff member
Oct 2, 2010
somewhere over the rainbow
cPanel Access Level
Root Administrator
I'm not entirely certain I understand what was set on the old machine to change before moving the account. Normally, PHP files won't be properly parsed if you have not set the PHP handler in WHM > Apache Configuration > PHP and SuExec Configuration area on a machine.

You shouldn't need to re-transfer the accounts. You just need to determine the right PHP handler for the accounts to use so they work properly. If you cannot do so and do have root SSH and root WHM access on the new machine, please open up a ticket in WHM > Support Center > Contact cPanel.

As for being a security hole, it would be a security setup issue if you don't set the PHP handler and PHP files don't properly parse and download. It isn't an issue with most machines because they properly set the PHP handler to work, so it isn't actually a security hole in and of itself. It's a security setup issue with how your PHP handler is being parsed on your machine.