WebApp Sec mailing list archives
Re: PHP Easter Eggs
From: Jimi Thompson <jimi.thompson () gmail com>
Date: Wed, 1 Dec 2004 22:35:41 -0600
I think the real concern here is that they've put these "hidden little gems" in there in the first place. Since no one else seems to want to come right out and say it, I'll do it. If that's in there, what else is in there that we just haven't found yet? A photograph of someone's dog in and of itself isn't very threatening. However, when you expect your system and and application to be fairly secure and you find something like this, you have to wonder what else is there that's also not "public". Does this mean that if I go join up on the PHP developers mailing lists/forums that I can find out about other stuff that might enable me to compromise a widely used e-commerce application like osCommerce? or nukeCommerce? or phpShop? or X-cart? or any of the other scads of both commercial and opensource e-commerce suites that are available. The only comment I have for the PHP development team is that this is _VERY_ uncool. 2 cents, Jimi On Tue, 30 Nov 2004 12:24:22 -0600, Paul Fierro <pablo () nothing com> wrote:
On 11/30/2004 2:53 AM, exon <exon () home se> wrote:The code should be removed from PHP altogether since it doesn't exactly provide much in the way of functionality. Possibly php_credits() could be added as a function, the way php_info() is now. That way nobody could glean information unawares, but the info would still be there if you need it (and it would be much easier to come by).A function named phpcredits() already exists: http://www.php.net/phpcredits Paul
-- Thanks, Jimi
Current thread:
- Re: PHP Easter Eggs, (continued)
- Re: PHP Easter Eggs Harrison Gladden (Nov 30)
- RE: PHP Easter Eggs V. Poddubnyy (Dec 01)
- Re: PHP Easter Eggs Antonio Varni (Dec 08)
- Re: PHP Easter Eggs Harrison Gladden (Nov 30)
- Re: Fwd: PHP Easter Eggs Alexander Klimov (Nov 29)
- Re: Fwd: PHP Easter Eggs Harald Nesland (Nov 29)
- Re: Fwd: PHP Easter Eggs RSnake (Nov 29)
- Re: PHP Easter Eggs q q (Nov 29)
- Re: Fwd: PHP Easter Eggs Saqib . N . Ali (Nov 30)
- Re: Fwd: PHP Easter Eggs exon (Nov 30)
- Re: PHP Easter Eggs Paul Fierro (Dec 01)
- Re: PHP Easter Eggs Jimi Thompson (Dec 02)
- Re: PHP Easter Eggs Griffiths, Ian (Dec 03)
- SQL injection (no single quotes used) Juan Carlos Calderon (Dec 14)
- Re: SQL injection (no single quotes used) Olivier G. Gaumond (Dec 15)
- Re: SQL injection (no single quotes used) Juan Carlos (Dec 15)
- RE: SQL injection (no single quotes used) Brett Moore (Dec 16)
- Re: Fwd: PHP Easter Eggs exon (Nov 30)
- RE: SQL injection (no single quotes used) Mutallip Ablimit (Dec 15)
- Re: SQL injection (no single quotes used) PD9 Software (Dec 16)
- Re: SQL injection (no single quotes used) Adam Tuliper (Dec 15)
- Re: PHP Easter Eggs Devin Egan (Nov 29)