RE: Antwort: Re: Fwd: PHP Easter Eggs

I think the 'main' point is trust. Every person who uses a computer does so with some trust in the software running on it. Example: You don't really trust the internet, so you don't enter bank info..ect on web sites. BUT.. you buy quicken or MS money and enter your bank info on your pc. You trust quicken/MS money and Windows to keep that info on your pc. You really have no way of knowing what happens to that info. When you find 'eggs' or other bugs, your trust goes down and you either use other software or none at all. PHP has done what everybody has done sometime during their life. If you think every program out there is secure with no back doors, then your in for a big surprise. Heck... Netscape had one of the early eggs, the great fish tank or the electronic sign. MS Excel had the flight program. You still use them today, don't you? Jeffrey -----Original Message----- From: Scovetta, Michael V [mailto:Michael.Scovetta@ca.com] Sent: Tuesday, November 30, 2004 11:29 AM To: Carsten Kuckuk; Saqib.N.Ali@seagate.com Cc: andi_mclean@ntlworld.com; webappsec@securityfocus.com Subject: RE: Antwort: Re: Fwd: PHP Easter Eggs While I don't agree with the idea of 'sneaking in' features like this, I think at the very least, it should be moved to another flag ($php_easter_eggs), and the default setting should be 'off'. Of course, I can't imagine anyone turning it on, but PHP isn't a toy project-- there shouldn't be any suprises. Mike -----Original Message----- From: Carsten Kuckuk [mailto:ck@rib.de] Sent: Tuesday, November 30, 2004 5:37 AM To: Saqib.N.Ali@seagate.com Cc: andi_mclean@ntlworld.com; webappsec@securityfocus.com Subject: Antwort: Re: Fwd: PHP Easter Eggs The documentation only states that this particular flag enables/disables the PHP string that's sent back in the headers. But it does not mention that it alters the semantics of GET statements when appended by a certain "magic" string. So this part of the behaviour counts as Easter Egg (and potential security problem) Saqib.N.Ali@seagate.com 29.11.2004 17:17 An: andi_mclean@ntlworld.com Kopie: webappsec@securityfocus.com Thema: Re: Fwd: PHP Easter Eggs Hello Andi, I wouldn't classify this is a easter egg, especially since PHP provides a way to disable it, and also because it is not something the PHP group is trying to hide. Infact the setting to enable/disable this is very clearly stated in the php.ini, and is called "expose_php" . It is used for exposing what the webserver is running, just like server signature e.g. "Apache/1.3.26 (Unix) mod_gzip/1.3.26.1a PHP/4.3.3-dev " .. Thanks. Saqib Ali http://validate.sf.net Andi McLean <andi_mclean@ntlworld.com> wrote on 11/28/2004 05:21:38 AM: > Hi, > > Does anyone know about the easter eggs in PHP? > I've just found out about them, My trust in PHP has just had a majorset back, > as I'm wondering what other easter eggs there are and can any be used to > circumenvent the protection I have on my site. > I feel like I now need to have a look at the source code, to find out what > else is there. > > <anywebsite.that/uses.php>?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 > > <anywebsite.thatuses.php>?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 > > <anywebsite.thatuses.php>?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 > > eg > www.jsane.com/index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 > www.jsane.com/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 > www.jsane.com/index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 > > > Andi ----------------------------------------- This e-mail message is private and may contain confidential or privileged information.
Received on Dec 01 2004