Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: PHP Easter Eggs

from [Antonio Varni] Network Security [Permanent Link]
Subject: Re: PHP Easter Eggs
Date: Mon, 6 Dec 2004 13:45:23 -0800 
Besides acting as another fingerprinting method, unexpected output
like this could cause faults in other application's parsing routines.
For example a brittle front end application that later queries a php
server (that could be influenced to pass along this URL) might crash
any number of ways.  This could serve as a simple DOS, or expose
sensitive information if the errors are displayed to the attacker.

Might be a bit of a stretch, but unexpected behavior like this can act
an attack vector in a larger attack.


On Mon, 29 Nov 2004 20:40:41 -0600, Harrison Gladden <hgladden@gmail.com> wrote:

maybe it's me, but i'm failing to see the "big picture" here as far as
security is concerned.  It seems to me that this would only confirm to
the evil user that yes you are running php, thereby allowing him to
find php specific vulns??  Or is there something else i'm missing
here.

~Harrison



On Tue, 30 Nov 2004 06:12:00 +0200, Serban Gh. Ghita <serban@verasys.ro> 
wrote:

interesting, but very risking. i am wondering if an evil user could exploit
this and create hoaxes using this 'easter eggs'
i also wonder what impact could have this over the big companies websites
that are using php ;-)



Serban Gh. Ghita
coordonator departament IT
VERASYS International
serban@verasys.ro
zamolxe@php.net
http://www.verasys.ro
phone1: +40-251-406.152
phone2: +40-251-406.153
cell: +40-788.28.29.10

----- Original Message -----
From: "Andi McLean" <andi_mclean@ntlworld.com>
To: <webappsec@securityfocus.com>
Sent: Sunday, November 28, 2004 3:21 PM
Subject: Fwd: PHP Easter Eggs


Hi,

Does anyone know about the easter eggs in PHP?
I've just found out about them, My trust in PHP has just had a major set

back,

as I'm wondering what other easter eggs there are and can any be used to
circumenvent the protection I have on my site.
I feel like I now need to have a look at the source code, to find out what
else is there.

<anywebsite.that/uses.php>?=PHPE9568F36-D428-11d2-A769-00AA001ACF42

<anywebsite.thatuses.php>?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

<anywebsite.thatuses.php>?=PHPE9568F34-D428-11d2-A769-00AA001ACF42

eg
www.jsane.com/index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
www.jsane.com/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
www.jsane.com/index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42


Andi






--
___________________________________
Harrison Gladden <hgladden@gmail.com>
Computer Engineer & Science Major
~Past experience: He who never makes
   mistakes, never did anything that's worth.~
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IE6 Vulnerability - Local File Detection, RSnake
Next by Date:  RE: SSO & 2FA deployments, Rishi Pande
Previous by Thread:  RE: PHP Easter Eggs, V. Poddubnyy
Next by Thread:  Re: Fwd: PHP Easter Eggs, Saqib . N . Ali
Indexes:  [Date] [Thread] [Top] [All Lists]