Wed, 01 Dec 2004
PHP Easter Eggs and Version Disclosure
There has recently been a thread about PHP easter eggs on the webappsec security list. In
essence if you call ANY PHP page with certain parameters custom pages will
be returned.
Here's an example of the PHP Credits Page. It may seem a little petty to complain about such a small thing in a code-base provided for free but there is a more serious aspect to this, the pages returned vary depending on the version of PHP you run so it's possible to use this to determine which version the server is running; even if you've changed the ServerTokens directive to something more restrictive than the default.
While you can disable this using 'expose_php = Off' in your php.ini file, easter eggs in Internet exposed production code annoy the hell out of me.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/01 16:41 | /security | Permanent link to this entry | This entry and same date
Copyright © 2000-2010 Dean Wilson
