WebApp Sec mailing list archives
Re: PHP Easter Eggs
From: "James Barkley" <James.Barkley () noaa gov>
Date: Thu, 09 Dec 2004 12:29:49 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 seriously. Someone called these hidden gems? They are not hidden - on the contrary they are completely exposed. Did you bother to look at the source code? The point of *open source* is that you can. And please don't tell me that it is impractical, because you had better believe I investigated the source code before I used the rand function to generate session hashes (because who knows how it determines what level of inertia is acceptable for pseudo-random??) - -Jim Barkley Rick Crelia wrote: |Hmmm. Methinks we're making a mountain out of a molehill with this |thread... no offense, but think about this: most MTAs come with |version string information enabled by default. Sendmail, qmail, |Postfix, etc. A competent system administrator knows that in |order to make the machine secure, you disable this functionality |by making the appropriate configuration change. These MTAs power |a large hunk of the Internet MTAs in existence and are considered |quite solid and secure (well, sendmail's gotten better anyway.. heh). | |I don't really see how the PHP "easter eggs" option is any different. | |Or did I miss something? You can turn this behavior off, and probably |should in most instances. | |--rc | |*========================================* |Rick Crelia - rick.crelia () oregonstate edu |OSU Libraries - Dept of Library Technology |Corvallis, OR 97331 - 541.737.8972 | | |On Fri, Dec 03, 2004 at 12:49:22PM -0500, Chuck Brockman spake thusly: | |>Maybe I'm not viewing this in the right light, but if PHP is to gain momentum in the corporate world and seriously compete with the other dominate web "languages", findings like this will discredit PHP. I personally like PHP and use it as well as others, but trying to sell PHP to management with findings like this may hamper the growth and acceptance of PHP. Yes, I know there are Easter eggs in almost everything out there, especially M$oft apps. |> |>Chuck |> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBuIuLVtbq2E0xxN0RAgHEAJ9vt5ojq4KhoLhp7AM+bYhIbhOEgwCggrjc agtcu5Zu9m8HMISrrLhPxKo= =WwY4 -----END PGP SIGNATURE-----
Current thread:
- Re: SQL injection (no single quotes used), (continued)
- Re: SQL injection (no single quotes used) Olivier G. Gaumond (Dec 15)
- Re: SQL injection (no single quotes used) Juan Carlos (Dec 15)
- RE: SQL injection (no single quotes used) Brett Moore (Dec 16)
- RE: SQL injection (no single quotes used) Mutallip Ablimit (Dec 15)
- Re: SQL injection (no single quotes used) PD9 Software (Dec 16)
- Re: SQL injection (no single quotes used) Adam Tuliper (Dec 15)
- Re: PHP Easter Eggs Devin Egan (Nov 29)
- Re: PHP Easter Eggs Rick Crelia (Dec 08)
- Re: PHP Easter Eggs James Barkley (Dec 14)