WebApp Sec mailing list archives

Re: PHP Easter Eggs

From: "James Barkley" <James.Barkley () noaa gov>
Date: Thu, 09 Dec 2004 12:29:49 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

seriously.    Someone called these hidden gems?  They are not hidden -
on the contrary they are completely exposed.  Did you bother to look
at the source code?  The point of *open source* is that you can.  And
please don't tell me that it is impractical, because you had better
believe I investigated the source code before I used the rand function
to generate session hashes (because who knows how it determines what
level of inertia is acceptable for pseudo-random??)

- -Jim Barkley

Rick Crelia wrote:

|Hmmm. Methinks we're making a mountain out of a molehill with this
|thread... no offense, but think about this: most MTAs come with
|version string information enabled by default. Sendmail, qmail,
|Postfix, etc.  A competent system administrator knows that in
|order to make the machine secure, you disable this functionality
|by making the appropriate configuration change.  These MTAs power
|a large hunk of the Internet MTAs in existence and are considered
|quite solid and secure (well, sendmail's gotten better anyway.. heh).
|
|I don't really see how the PHP "easter eggs" option is any different.
|
|Or did I miss something? You can turn this behavior off, and probably
|should in most instances.
|
|--rc
|
|*========================================*
|Rick Crelia - rick.crelia () oregonstate edu
|OSU Libraries - Dept of Library Technology
|Corvallis, OR 97331 - 541.737.8972
|
|
|On Fri, Dec 03, 2004 at 12:49:22PM -0500, Chuck Brockman spake thusly:
|
|>Maybe I'm not viewing this in the right light, but if PHP is to gain
momentum in the corporate world and seriously compete with the other
dominate web "languages", findings like this will discredit PHP.  I
personally like PHP and use it as well as others, but trying to sell
PHP to management with findings like this may hamper the growth and
acceptance of PHP.  Yes, I know there are Easter eggs in almost
everything out there, especially M$oft apps.
|>
|>Chuck
|>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBuIuLVtbq2E0xxN0RAgHEAJ9vt5ojq4KhoLhp7AM+bYhIbhOEgwCggrjc
agtcu5Zu9m8HMISrrLhPxKo=
=WwY4
-----END PGP SIGNATURE-----

Current thread:

Re: SQL injection (no single quotes used), (continued)
- - - Re: SQL injection (no single quotes used) Olivier G. Gaumond (Dec 15)
    - Re: SQL injection (no single quotes used) Juan Carlos (Dec 15)
    - RE: SQL injection (no single quotes used) Brett Moore (Dec 16)
    - RE: SQL injection (no single quotes used) Mutallip Ablimit (Dec 15)
    - Re: SQL injection (no single quotes used) PD9 Software (Dec 16)
    - Re: SQL injection (no single quotes used) Adam Tuliper (Dec 15)
- RE: PHP Easter Eggs Krul Thomas (Nov 29)
  - Re: PHP Easter Eggs Devin Egan (Nov 29)
- RE: PHP Easter Eggs Chuck Brockman (Dec 03)
  - Re: PHP Easter Eggs Rick Crelia (Dec 08)
    - Re: PHP Easter Eggs James Barkley (Dec 14)