I don't think we can speculate what other holes are in there, or how much
faith we lost in the team. The fact is that these jovial additions reveal
PHP version. This is no more damaging than when server sig is left on and
also by the looks of it, no more difficult to fix.
----- Original Message -----
From: "Jimi Thompson" <jimi.thompson@gmail.com>
To: "Paul Fierro" <pablo@nothing.com>
Cc: <webappsec@securityfocus.com>
Sent: Thursday, December 02, 2004 4:35 AM
Subject: Re: PHP Easter Eggs
I think the real concern here is that they've put these "hidden little
gems" in there in the first place. Since no one else seems to want to
come right out and say it, I'll do it. If that's in there, what else
is in there that we just haven't found yet?
A photograph of someone's dog in and of itself isn't very threatening.
However, when you expect your system and and application to be fairly
secure and you find something like this, you have to wonder what else
is there that's also not "public".
Does this mean that if I go join up on the PHP developers mailing
lists/forums that I can find out about other stuff that might enable
me to compromise a widely used e-commerce application like osCommerce?
or nukeCommerce? or phpShop? or X-cart? or any of the other scads of
both commercial and opensource e-commerce suites that are available.
The only comment I have for the PHP development team is that this is
_VERY_ uncool.
2 cents,
Jimi
On Tue, 30 Nov 2004 12:24:22 -0600, Paul Fierro <pablo@nothing.com> wrote:
On 11/30/2004 2:53 AM, exon <exon@home.se> wrote:
The code should be removed from PHP altogether since it doesn't
exactly
provide much in the way of functionality. Possibly php_credits() could
be added as a function, the way php_info() is now. That way nobody
could
glean information unawares, but the info would still be there if you
need it (and it would be much easier to come by).
A function named phpcredits() already exists:
http://www.php.net/phpcredits
Paul
--
Thanks,
Jimi
