WebApp Sec mailing list archives
Re: Fwd: PHP Easter Eggs
From: exon <exon () home se>
Date: Tue, 30 Nov 2004 09:53:56 +0100
Saqib.N.Ali () seagate com wrote:
Hello Andi, I wouldn't classify this is a easter egg, especially since PHP provides a way to disable it, and also because it is not something the PHP group is trying to hide. Infact the setting to enable/disable this is very clearly stated in the php.ini, and is called "expose_php" . It is used for exposing what the webserver is running, just like server signature e.g. "Apache/1.3.26 (Unix) mod_gzip/1.3.26.1a PHP/4.3.3-dev " .
Still, if you turn off the apache server-signature but leave the expose_php = On, you can get to know that PHP is actually running by trying one or more of these Eggs. It's a Bad Thing (tm) if you ask me.
The code should be removed from PHP altogether since it doesn't exactly provide much in the way of functionality. Possibly php_credits() could be added as a function, the way php_info() is now. That way nobody could glean information unawares, but the info would still be there if you need it (and it would be much easier to come by).
Thanks. Saqib Ali http://validate.sf.net Andi McLean <andi_mclean () ntlworld com> wrote on 11/28/2004 05:21:38 AM:Hi, Does anyone know about the easter eggs in PHP? I've just found out about them, My trust in PHP has just had a majorsetback,as I'm wondering what other easter eggs there are and can any be used to circumenvent the protection I have on my site. I feel like I now need to have a look at the source code, to find outwhatelse is there. <anywebsite.that/uses.php>?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 <anywebsite.thatuses.php>?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 <anywebsite.thatuses.php>?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 eg www.jsane.com/index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 www.jsane.com/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 www.jsane.com/index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 Andi
Current thread:
- Re: PHP Easter Eggs, (continued)
- Re: PHP Easter Eggs Serban Gh. Ghita (Nov 29)
- Re: PHP Easter Eggs Serban Gh. Ghita (Nov 29)
- Re: PHP Easter Eggs Harrison Gladden (Nov 30)
- RE: PHP Easter Eggs V. Poddubnyy (Dec 01)
- Re: PHP Easter Eggs Antonio Varni (Dec 08)
- Re: PHP Easter Eggs Harrison Gladden (Nov 30)
- Re: Fwd: PHP Easter Eggs Alexander Klimov (Nov 29)
- Re: Fwd: PHP Easter Eggs Harald Nesland (Nov 29)
- Re: Fwd: PHP Easter Eggs RSnake (Nov 29)
- Re: PHP Easter Eggs q q (Nov 29)
- Re: Fwd: PHP Easter Eggs Saqib . N . Ali (Nov 30)
- Re: Fwd: PHP Easter Eggs exon (Nov 30)
- Re: PHP Easter Eggs Paul Fierro (Dec 01)
- Re: PHP Easter Eggs Jimi Thompson (Dec 02)
- Re: PHP Easter Eggs Griffiths, Ian (Dec 03)
- SQL injection (no single quotes used) Juan Carlos Calderon (Dec 14)
- Re: SQL injection (no single quotes used) Olivier G. Gaumond (Dec 15)
- Re: SQL injection (no single quotes used) Juan Carlos (Dec 15)
- RE: SQL injection (no single quotes used) Brett Moore (Dec 16)
- Re: Fwd: PHP Easter Eggs exon (Nov 30)
- RE: SQL injection (no single quotes used) Mutallip Ablimit (Dec 15)
- Re: SQL injection (no single quotes used) PD9 Software (Dec 16)
- Re: SQL injection (no single quotes used) Adam Tuliper (Dec 15)