WebApp Sec mailing list archives
RE: Antwort: Re: Fwd: PHP Easter Eggs
From: "Levenglick, Jeff" <JLevenglick () fhlbatl com>
Date: Wed, 1 Dec 2004 13:47:42 -0500
I think the 'main' point is trust. Every person who uses a computer does so with some trust in the software running on it. Example: You don't really trust the internet, so you don't enter bank info..ect on web sites. BUT.. you buy quicken or MS money and enter your bank info on your pc. You trust quicken/MS money and Windows to keep that info on your pc. You really have no way of knowing what happens to that info. When you find 'eggs' or other bugs, your trust goes down and you either use other software or none at all. PHP has done what everybody has done sometime during their life. If you think every program out there is secure with no back doors, then your in for a big surprise. Heck... Netscape had one of the early eggs, the great fish tank or the electronic sign. MS Excel had the flight program. You still use them today, don't you? Jeffrey -----Original Message----- From: Scovetta, Michael V [mailto:Michael.Scovetta () ca com] Sent: Tuesday, November 30, 2004 11:29 AM To: Carsten Kuckuk; Saqib.N.Ali () seagate com Cc: andi_mclean () ntlworld com; webappsec () securityfocus com Subject: RE: Antwort: Re: Fwd: PHP Easter Eggs While I don't agree with the idea of 'sneaking in' features like this, I think at the very least, it should be moved to another flag ($php_easter_eggs), and the default setting should be 'off'. Of course, I can't imagine anyone turning it on, but PHP isn't a toy project-- there shouldn't be any suprises. Mike -----Original Message----- From: Carsten Kuckuk [mailto:ck () rib de] Sent: Tuesday, November 30, 2004 5:37 AM To: Saqib.N.Ali () seagate com Cc: andi_mclean () ntlworld com; webappsec () securityfocus com Subject: Antwort: Re: Fwd: PHP Easter Eggs The documentation only states that this particular flag enables/disables the PHP string that's sent back in the headers. But it does not mention that it alters the semantics of GET statements when appended by a certain "magic" string. So this part of the behaviour counts as Easter Egg (and potential security problem) Saqib.N.Ali () seagate com 29.11.2004 17:17 An: andi_mclean () ntlworld com Kopie: webappsec () securityfocus com Thema: Re: Fwd: PHP Easter Eggs Hello Andi, I wouldn't classify this is a easter egg, especially since PHP provides a way to disable it, and also because it is not something the PHP group is trying to hide. Infact the setting to enable/disable this is very clearly stated in the php.ini, and is called "expose_php" . It is used for exposing what the webserver is running, just like server signature e.g. "Apache/1.3.26 (Unix) mod_gzip/1.3.26.1a PHP/4.3.3-dev " .. Thanks. Saqib Ali http://validate.sf.net Andi McLean <andi_mclean () ntlworld com> wrote on 11/28/2004 05:21:38 AM:
Hi, Does anyone know about the easter eggs in PHP? I've just found out about them, My trust in PHP has just had a
majorset back,
as I'm wondering what other easter eggs there are and can any be used
to
circumenvent the protection I have on my site. I feel like I now need to have a look at the source code, to find out
what
else is there. <anywebsite.that/uses.php>?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 <anywebsite.thatuses.php>?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 <anywebsite.thatuses.php>?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 eg www.jsane.com/index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 www.jsane.com/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 www.jsane.com/index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 Andi
----------------------------------------- This e-mail message is private and may contain confidential or privileged information.
Current thread:
- Antwort: Re: Fwd: PHP Easter Eggs Carsten Kuckuk (Nov 30)
- <Possible follow-ups>
- RE: Antwort: Re: Fwd: PHP Easter Eggs Scovetta, Michael V (Dec 01)
- RE: Antwort: Re: Fwd: PHP Easter Eggs Levenglick, Jeff (Dec 01)