Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: PHP Easter Eggs

from [James Barkley] Network Security [Permanent Link]
Subject: Re: PHP Easter Eggs
Date: Thu, 09 Dec 2004 12:29:49 -0500 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

seriously.    Someone called these hidden gems?  They are not hidden -
on the contrary they are completely exposed.  Did you bother to look
at the source code?  The point of *open source* is that you can.  And
please don't tell me that it is impractical, because you had better
believe I investigated the source code before I used the rand function
to generate session hashes (because who knows how it determines what
level of inertia is acceptable for pseudo-random??)

- -Jim Barkley

Rick Crelia wrote:

|Hmmm. Methinks we're making a mountain out of a molehill with this
|thread... no offense, but think about this: most MTAs come with
|version string information enabled by default. Sendmail, qmail,
|Postfix, etc.  A competent system administrator knows that in
|order to make the machine secure, you disable this functionality
|by making the appropriate configuration change.  These MTAs power
|a large hunk of the Internet MTAs in existence and are considered
|quite solid and secure (well, sendmail's gotten better anyway.. heh).
|
|I don't really see how the PHP "easter eggs" option is any different.
|
|Or did I miss something? You can turn this behavior off, and probably
|should in most instances.
|
|--rc
|
|*========================================*
|Rick Crelia - rick.crelia@oregonstate.edu
|OSU Libraries - Dept of Library Technology
|Corvallis, OR 97331 - 541.737.8972
|
|
|On Fri, Dec 03, 2004 at 12:49:22PM -0500, Chuck Brockman spake thusly:
|
|>Maybe I'm not viewing this in the right light, but if PHP is to gain
momentum in the corporate world and seriously compete with the other
dominate web "languages", findings like this will discredit PHP.  I
personally like PHP and use it as well as others, but trying to sell
PHP to management with findings like this may hamper the growth and
acceptance of PHP.  Yes, I know there are Easter eggs in almost
everything out there, especially M$oft apps.
|>
|>Chuck
|>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBuIuLVtbq2E0xxN0RAgHEAJ9vt5ojq4KhoLhp7AM+bYhIbhOEgwCggrjc
agtcu5Zu9m8HMISrrLhPxKo=
=WwY4
-----END PGP SIGNATURE-----

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Article - A solution to phishing, Michael Silk
Next by Date:  SQL injection (no single quotes used), Juan Carlos Calderon
Previous by Thread:  Re: PHP Easter Eggs, Rick Crelia
Next by Thread:  OWASP WebGoat 3.5, Jeff Williams
Indexes:  [Date] [Thread] [Top] [All Lists]