PHP Easter eggs, Security issue?
Results 1 to 6 of 6

Thread: PHP Easter eggs, Security issue?

  1. #1

    PHP Easter eggs, Security issue?

    So apparantly PHP has easter eggs.

    Find a site with PHP, and put this after the .php

    ?=PHPE9568F35-D428-11d2-A769-00AA001ACF42

    Such as
    http://www.antionline.com/index.php?...9-00AA001ACF42
    It will display the Zend logo.

    http://www.antionline.com/index.php?...9-4C7B08C10000
    Shows credits (w/ version).

    http://www.antionline.com/index.php?...9-00AA001ACF42
    Shows a PHP logo.

    http://www.antionline.com/index.php?...9-00AA001ACF42
    Shows a puppy.

    Worst part is that some of these change with the version of PHP (fingerprinting). They can be disabled by altering you php.ini file, (expose_php), but apparantly Antionline didn't know about it.

    I don't think I like easter eggs in open source projects. Waste of code IMO.

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Re: PHP Easter eggs, Security issue?

    Originally posted here by Soda_Popinsky So apparantly PHP has easter eggs.
    Erm, this is news?

    I don't think I like easter eggs in open source projects. Waste of code IMO.
    So recompile without those included. It IS open source.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  3. #3

    Re: Re: PHP Easter eggs, Security issue?

    Originally posted here by chsh
    Erm, this is news?
    News to me! :P I learned about it through a mailing list, not docs or anything. Now from looking at Google, I see it's been around a while.

    If I knew more about this directive when I heard about this I probably wouldn't have been as suprised. I thought this egg was something that slipped by everybody. (Which made me question the integrity of all open source projects)
    http://www1.hw.ac.uk/ZendInformation...expose_php.htm

  4. #4
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    I would be wary of systems, closed or open, that have Easter Eggs, any more. I don't think the solution is to search through unfamiliar code, find the eggs, then attempt to recomplie without them. It would be best if we could count on them not being there in the first place, especially in software in which a company or institution places a great deal of trust, or their corporate reputation. This is wrong on so many levels, though, not just for security or code integrity.

  5. #5
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    It was shown by some programmer several years ago that it is possible to include functions without anything traceable through the current source code. He worked on in-house code for some companies, and then later showed an example of this by producing a fork of some opensource C compiler at the time, while commenting that he personally would not hire a person like himself. I think the person was Turing? I don't know remember, but it was interesting to see what could be done with something built by itself.

    Anyways, since that was proven, it is entirely possible to have offending functions not be present at all in the source code, but present in the final binary. But usually that is for something that compiles itself. To determine if this had happened, you'd have to go through the entire source tree from day 1 on the project and understand each and every version of the code and how it intereacts in compiling later versions...and this code wouldn't necessarily all be present in a single version... Of course, it can happen to both closed and open projects...

  6. #6
    Senior Member
    Join Date
    Jan 2004
    Location
    Hawaii
    Posts
    351
    You can find tons of Easter Eggs here:
    http://www.eeggs.com/

    I find much of interesting, especially when I can win a game of Solitaire or Freecell with no effort at all...

    A_T
    Geek isn't just a four-letter word; it's a six-figure income.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides