Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: PHP Easter Eggs

from [Jimi Thompson] Network Security [Permanent Link]
Subject: Re: PHP Easter Eggs
Date: Wed, 1 Dec 2004 22:35:41 -0600 
I think the real concern here is that they've put these "hidden little
gems" in there in the first place.  Since no one else seems to want to
come right out and say it, I'll do it.  If that's in there, what else
is in there that we just haven't found yet?

A photograph of someone's dog in and of itself isn't very threatening.
 However, when you expect your system and and application to be fairly
secure and you find something like this, you have to wonder what else
is there that's also not "public".

Does this mean that if I go join up on the PHP developers mailing
lists/forums that I can find out about other stuff that might enable
me to compromise a widely used e-commerce application like osCommerce?
or nukeCommerce? or phpShop? or X-cart? or any of the other scads of
both commercial and opensource e-commerce suites that are available.

The only comment I have for the PHP development team is that this is
_VERY_ uncool.

2 cents,

Jimi


On Tue, 30 Nov 2004 12:24:22 -0600, Paul Fierro <pablo@nothing.com> wrote:

On 11/30/2004 2:53 AM, exon <exon@home.se> wrote:


The code should be removed from PHP altogether since it doesn't exactly
provide much in the way of functionality. Possibly php_credits() could
be added as a function, the way php_info() is now. That way nobody could
glean information unawares, but the info would still be there if you
need it (and it would be much easier to come by).


A function named phpcredits() already exists:

http://www.php.net/phpcredits

Paul





-- 
Thanks,

Jimi
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Solutions to phishing and to site spoofing, Michael Silk
Next by Date:  Re: Account Lockouts, Alexander Klimov
Previous by Thread:  Re: PHP Easter Eggs, Paul Fierro
Next by Thread:  Re: PHP Easter Eggs, Griffiths, Ian
Indexes:  [Date] [Thread] [Top] [All Lists]