PHP Easter Eggs and Version Disclosure

There has recently been a thread about PHP easter eggs on the webappsec security list. In essence if you call ANY PHP page with certain parameters custom pages will be returned.

Here’s an example of the PHP Credits Page. It may seem a little petty to complain about such a small thing in a code-base provided for free but there is a more serious aspect to this, the pages returned vary depending on the version of PHP you run so it’s possible to use this to determine which version the server is running; even if you’ve changed the ServerTokens directive to something more restrictive than the default.

While you can disable this using ‘expose_php = Off’ in your php.ini file, easter eggs in Internet exposed production code annoy the hell out of me.