WebApp Sec mailing list archives
Antwort: Re: PHP Easter Eggs
From: Carsten Kuckuk <ck () rib de>
Date: Tue, 30 Nov 2004 11:34:34 +0100
It's a different code path that has been added to PHP, and it's one that isn't used frequently, so it is to be considered inherently unsafe untill proven otherwise. if(EasterEggConditionMet()) PerformEasterEggCode() else PerformNormalCode() See the problem? The Easter Egg Code hasn't been tested yet. How will it react to variable injections? Extremely long parameters? Cookies? Post instead of Get? Does the picture trigger a buffer overflow on some esoteric platform? Can the Easter Egg HTML code in the server be replaced by something else through another PHP hole and then send attacking HTML code to unsuspecting visitors? Harrison Gladden <hgladden () gmail com> 30.11.2004 03:40 Bitte antworten an Harrison Gladden An: "Serban Gh. Ghita" <serban () verasys ro> Kopie: Andi McLean <andi_mclean () ntlworld com>, webappsec () securityfocus com Thema: Re: PHP Easter Eggs maybe it's me, but i'm failing to see the "big picture" here as far as security is concerned. It seems to me that this would only confirm to the evil user that yes you are running php, thereby allowing him to find php specific vulns?? Or is there something else i'm missing here. ~Harrison On Tue, 30 Nov 2004 06:12:00 +0200, Serban Gh. Ghita <serban () verasys ro> wrote:
interesting, but very risking. i am wondering if an evil user could
exploit
this and create hoaxes using this 'easter eggs' i also wonder what impact could have this over the big companies
websites
that are using php ;-) Serban Gh. Ghita coordonator departament IT VERASYS International serban () verasys ro zamolxe () php net http://www.verasys.ro phone1: +40-251-406.152 phone2: +40-251-406.153 cell: +40-788.28.29.10 ----- Original Message ----- From: "Andi McLean" <andi_mclean () ntlworld com> To: <webappsec () securityfocus com> Sent: Sunday, November 28, 2004 3:21 PM Subject: Fwd: PHP Easter EggsHi, Does anyone know about the easter eggs in PHP? I've just found out about them, My trust in PHP has just had a major
set
back,as I'm wondering what other easter eggs there are and can any be used
to
circumenvent the protection I have on my site. I feel like I now need to have a look at the source code, to find out
what
else is there. <anywebsite.that/uses.php>?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 <anywebsite.thatuses.php>?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 <anywebsite.thatuses.php>?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 eg www.jsane.com/index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 www.jsane.com/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 www.jsane.com/index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 Andi
-- ___________________________________ Harrison Gladden <hgladden () gmail com> Computer Engineer & Science Major ~Past experience: He who never makes mistakes, never did anything that's worth.~
Current thread:
- Antwort: Re: PHP Easter Eggs Carsten Kuckuk (Nov 30)