Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PHP Easter Eggs

from [Chuck Brockman] Network Security [Permanent Link]
Subject: RE: PHP Easter Eggs
Date: Fri, 3 Dec 2004 12:49:22 -0500 

Maybe I'm not viewing this in the right light, but if PHP is to gain momentum 
in the corporate world and seriously compete with the other dominate web 
"languages", findings like this will discredit PHP.  I personally like PHP and 
use it as well as others, but trying to sell PHP to management with findings 
like this may hamper the growth and acceptance of PHP.  Yes, I know there are 
Easter eggs in almost everything out there, especially M$oft apps. 

Chuck


-----Original Message-----
From: Jimi Thompson [mailto:jimi.thompson@gmail.com]
Sent: Wednesday, December 01, 2004 11:36 PM
To: Paul Fierro
Cc: webappsec@securityfocus.com
Subject: Re: PHP Easter Eggs


I think the real concern here is that they've put these "hidden little
gems" in there in the first place.  Since no one else seems to want to
come right out and say it, I'll do it.  If that's in there, what else
is in there that we just haven't found yet?

A photograph of someone's dog in and of itself isn't very threatening.
 However, when you expect your system and and application to be fairly
secure and you find something like this, you have to wonder what else
is there that's also not "public".

Does this mean that if I go join up on the PHP developers mailing
lists/forums that I can find out about other stuff that might enable
me to compromise a widely used e-commerce application like osCommerce?
or nukeCommerce? or phpShop? or X-cart? or any of the other scads of
both commercial and opensource e-commerce suites that are available.

The only comment I have for the PHP development team is that this is
_VERY_ uncool.

2 cents,

Jimi


On Tue, 30 Nov 2004 12:24:22 -0600, Paul Fierro <pablo@nothing.com> wrote:

On 11/30/2004 2:53 AM, exon <exon@home.se> wrote:


The code should be removed from PHP altogether since it doesn't exactly
provide much in the way of functionality. Possibly php_credits() could
be added as a function, the way php_info() is now. That way nobody could
glean information unawares, but the info would still be there if you
need it (and it would be much easier to come by).


A function named phpcredits() already exists:

http://www.php.net/phpcredits

Paul





-- 
Thanks,

Jimi
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Article - A solution to phishing, Rogan Dawes
Next by Date:  Re: Account Lockouts, Michael Silk
Previous by Thread:  Re: SQL injection (no single quotes used), Adam Tuliper
Next by Thread:  Re: PHP Easter Eggs, Rick Crelia
Indexes:  [Date] [Thread] [Top] [All Lists]