-
November 29th, 2004, 08:16 PM
#1
PHP Easter eggs, Security issue?
So apparantly PHP has easter eggs.
Find a site with PHP, and put this after the .php
?=PHPE9568F35-D428-11d2-A769-00AA001ACF42
Such as
http://www.antionline.com/index.php?...9-00AA001ACF42
It will display the Zend logo.
http://www.antionline.com/index.php?...9-4C7B08C10000
Shows credits (w/ version).
http://www.antionline.com/index.php?...9-00AA001ACF42
Shows a PHP logo.
http://www.antionline.com/index.php?...9-00AA001ACF42
Shows a puppy.
Worst part is that some of these change with the version of PHP (fingerprinting). They can be disabled by altering you php.ini file, (expose_php), but apparantly Antionline didn't know about it.
I don't think I like easter eggs in open source projects. Waste of code IMO.
-
November 29th, 2004, 11:44 PM
#2
Re: PHP Easter eggs, Security issue?
Originally posted here by Soda_Popinsky So apparantly PHP has easter eggs.
Erm, this is news?
I don't think I like easter eggs in open source projects. Waste of code IMO.
So recompile without those included. It IS open source.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
November 30th, 2004, 12:31 AM
#3
Re: Re: PHP Easter eggs, Security issue?
Originally posted here by chsh
Erm, this is news?
News to me! :P I learned about it through a mailing list, not docs or anything. Now from looking at Google, I see it's been around a while.
If I knew more about this directive when I heard about this I probably wouldn't have been as suprised. I thought this egg was something that slipped by everybody. (Which made me question the integrity of all open source projects)
http://www1.hw.ac.uk/ZendInformation...expose_php.htm
-
November 30th, 2004, 01:20 AM
#4
I would be wary of systems, closed or open, that have Easter Eggs, any more. I don't think the solution is to search through unfamiliar code, find the eggs, then attempt to recomplie without them. It would be best if we could count on them not being there in the first place, especially in software in which a company or institution places a great deal of trust, or their corporate reputation. This is wrong on so many levels, though, not just for security or code integrity.
-
November 30th, 2004, 02:32 AM
#5
It was shown by some programmer several years ago that it is possible to include functions without anything traceable through the current source code. He worked on in-house code for some companies, and then later showed an example of this by producing a fork of some opensource C compiler at the time, while commenting that he personally would not hire a person like himself. I think the person was Turing? I don't know remember, but it was interesting to see what could be done with something built by itself.
Anyways, since that was proven, it is entirely possible to have offending functions not be present at all in the source code, but present in the final binary. But usually that is for something that compiles itself. To determine if this had happened, you'd have to go through the entire source tree from day 1 on the project and understand each and every version of the code and how it intereacts in compiling later versions...and this code wouldn't necessarily all be present in a single version... Of course, it can happen to both closed and open projects...
-
November 30th, 2004, 03:31 AM
#6
You can find tons of Easter Eggs here:
http://www.eeggs.com/
I find much of interesting, especially when I can win a game of Solitaire or Freecell with no effort at all...
A_T
Geek isn't just a four-letter word; it's a six-figure income.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|