RE: Antwort: Re: Fwd: PHP Easter Eggs

["Levenglick, Jeff" <JLevenglick () fhlbatl com>]

I think the 'main' point is trust. Every person who uses a computer
does so with some trust in the software running on it. 

Example:

You don't really trust the internet, so you don't enter bank info..ect on web sites.
BUT.. you buy quicken or MS money and enter your bank info on your pc. You trust
quicken/MS money and Windows to keep that info on your pc. You really have no way of
knowing what happens to that info.

When you find 'eggs' or other bugs, your trust goes down and you either use other software
or none at all. PHP has done what everybody has done sometime during their life. If you think
every program out there is secure with no back doors, then your in for a big surprise.

Heck... Netscape had one of the early eggs, the great fish tank or the electronic sign. MS Excel had
the flight program. You still use them today, don't you?

Jeffrey 

-----Original Message-----
From: Scovetta, Michael V [mailto:Michael.Scovetta () ca com]
Sent: Tuesday, November 30, 2004 11:29 AM
To: Carsten Kuckuk; Saqib.N.Ali () seagate com
Cc: andi_mclean () ntlworld com; webappsec () securityfocus com
Subject: RE: Antwort: Re: Fwd: PHP Easter Eggs


While I don't agree with the idea of 'sneaking in' features like this, I
think at the very least, it should be moved to another flag
($php_easter_eggs), and the default setting should be 'off'. Of course,
I can't imagine anyone turning it on, but PHP isn't a toy project--
there shouldn't be any suprises.

Mike

-----Original Message-----
From: Carsten Kuckuk [mailto:ck () rib de] 
Sent: Tuesday, November 30, 2004 5:37 AM
To: Saqib.N.Ali () seagate com
Cc: andi_mclean () ntlworld com; webappsec () securityfocus com
Subject: Antwort: Re: Fwd: PHP Easter Eggs

The documentation only states that this particular flag enables/disables

the PHP string that's sent back in the headers. But it does not mention 
that it alters the semantics of GET statements when appended by a
certain 
"magic" string. So this part of the behaviour counts as Easter Egg (and 
potential security problem)






Saqib.N.Ali () seagate com
29.11.2004 17:17

 
        An:     andi_mclean () ntlworld com
        Kopie:  webappsec () securityfocus com
        Thema:  Re: Fwd: PHP Easter Eggs






Hello Andi,

I wouldn't classify this is a easter egg, especially since PHP provides
a
way to disable it, and also because it is not something the PHP group is
trying to hide. Infact the setting to enable/disable this is very
clearly
stated in the php.ini, and is called "expose_php" .

It is used for exposing what the webserver is running, just like server
signature e.g. "Apache/1.3.26 (Unix) mod_gzip/1.3.26.1a PHP/4.3.3-dev "
..

Thanks.
Saqib Ali
http://validate.sf.net

Andi McLean <andi_mclean () ntlworld com> wrote on 11/28/2004 05:21:38 AM:

> Hi,
>
> Does anyone know about the easter eggs in PHP?
> I've just found out about them, My trust in PHP has just had a
majorset
back,
> as I'm wondering what other easter eggs there are and can any be used
to
> circumenvent the protection I have on my site.
> I feel like I now need to have a look at the source code, to find out
what
> else is there.
>
> <anywebsite.that/uses.php>?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
>
> <anywebsite.thatuses.php>?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
>
> <anywebsite.thatuses.php>?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
>
> eg
> www.jsane.com/index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
> www.jsane.com/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
> www.jsane.com/index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
>
>
> Andi








-----------------------------------------
This e-mail message is private and may contain confidential or privileged information.