When I click on the “Download / Buy Now” link [1], Safari tries to download it instead of visiting the page. I tried with cURL and discovered that the page is returning a “content-type: application/octet-stream” header, which makes no sense because the page is just HTML. Also, I can see some portions of raw PHP code in the HTTP response, so I think your web server is not interpreting PHP as it is supposed to and instead returning the raw content from the PHP file.

edit: In fact, every PHP file is being leaked, for example, this file [2] contains a $hash_salt , which is supposedly being used to “prevent[s] users guessing filenames and make data more secure”

[1] https://glowworm.us/securimage/download.php

[2] https://glowworm.us/securimage/securimage.php