diff --git a/library/Class/FileManager.php b/library/Class/FileManager.php
index 86e39cbad7bff8254414eddb72f8f1e91ba9da78..2af6fb8d35cb7ff74020f381016f1c46b7e9c4a9 100644
--- a/library/Class/FileManager.php
+++ b/library/Class/FileManager.php
@@ -35,7 +35,9 @@ class Class_FileManager {
 
 
   protected function _isForbidden($part) {
-    return $this->_isHtaccess($part) || $this->_isDotsOnly($part);
+    return $this->_isHtaccess($part)
+      || $this->_isDotsOnly($part)
+      || $this->_isPhpFile($part);
   }
 
 
@@ -49,4 +51,10 @@ class Class_FileManager {
       ? '' == trim(str_replace('.', '', $part))
       : false;
   }
+
+  protected function _isPhpFile($part) {
+    return $part
+      ? 1 === preg_match('/\.php[1-9]*$/i', $part)
+      : false;
+  }
 }
diff --git a/tests/library/Class/FileManagerTest.php b/tests/library/Class/FileManagerTest.php
index a551d54de5bfc1ea7c8c541b76f3e649255518a8..a48439743fccf99a7b683d24198dd3aaa04050f2 100644
--- a/tests/library/Class/FileManagerTest.php
+++ b/tests/library/Class/FileManagerTest.php
@@ -123,4 +123,16 @@ class FileManagerAuthAsAdminTest extends FileManagerTestCase {
   public function dotHtaccessShouldNotBeAuthorized() {
     $this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . '/.htaccess'));
   }
+
+
+  /** @test */
+  public function phpFileShouldNotBeAuthorized() {
+    $this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . '/anything.php'));
+  }
+
+
+  /** @test */
+  public function php5FileShouldNotBeAuthorized() {
+    $this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . '/anything.php5'));
+  }
 }
\ No newline at end of file