I think the real concern here is that they've put these "hidden little
gems" in there in the first place. Since no one else seems to want to
come right out and say it, I'll do it. If that's in there, what else
is in there that we just haven't found yet?

A photograph of someone's dog in and of itself isn't very threatening.
However, when you expect your system and and application to be fairly
secure and you find something like this, you have to wonder what else
is there that's also not "public".

Does this mean that if I go join up on the PHP developers mailing
lists/forums that I can find out about other stuff that might enable
me to compromise a widely used e-commerce application like osCommerce?
or nukeCommerce? or phpShop? or X-cart? or any of the other scads of
both commercial and opensource e-commerce suites that are available.

The only comment I have for the PHP development team is that this is
_VERY_ uncool.

2 cents,

Jimi

On Tue, 30 Nov 2004 12:24:22 -0600, Paul Fierro <pablo (at) nothing (dot) com [email concealed]> wrote:
> On 11/30/2004 2:53 AM, exon <exon (at) home (dot) se [email concealed]> wrote:
>
> > The code should be removed from PHP altogether since it doesn't exactly
> > provide much in the way of functionality. Possibly php_credits() could
> > be added as a function, the way php_info() is now. That way nobody could
> > glean information unawares, but the info would still be there if you
> > need it (and it would be much easier to come by).
>
> A function named phpcredits() already exists:
>
> http://www.php.net/phpcredits
>
> Paul
>
>

--
Thanks,

Jimi

[ reply ]

I think the real concern here is that they've put these "hidden little<br/>
gems" in there in the first place. Since no one else seems to want to<br/>
come right out and say it, I'll do it. If that's in there, what else<br/>
is in there that we just haven't found yet?<br/>
<br/>
A photograph of someone's dog in and of itself isn't very threatening.<br/>
However, when you expect your system and and application to be fairly<br/>
secure and you find something like this, you have to wonder what else<br/>
is there that's also not "public".<br/>
<br/>
Does this mean that if I go join up on the PHP developers mailing<br/>
lists/forums that I can find out about other stuff that might enable<br/>
me to compromise a widely used e-commerce application like osCommerce?<br/>
or nukeCommerce? or phpShop? or X-cart? or any of the other scads of<br/>
both commercial and opensource e-commerce suites that are available.<br/>
<br/>
The only comment I have for the PHP development team is that this is<br/>
_VERY_ uncool.<br/>
<br/>
2 cents,<br/>
<br/>
Jimi<br/>
<br/>
On Tue, 30 Nov 2004 12:24:22 -0600, Paul Fierro <pablo (at) nothing (dot) com [email concealed]> wrote:<br/>
> On 11/30/2004 2:53 AM, exon <exon (at) home (dot) se [email concealed]> wrote:<br/>
> <br/>
> > The code should be removed from PHP altogether since it doesn't exactly<br/>
> > provide much in the way of functionality. Possibly php_credits() could<br/>
> > be added as a function, the way php_info() is now. That way nobody could<br/>
> > glean information unawares, but the info would still be there if you<br/>
> > need it (and it would be much easier to come by).<br/>
> <br/>
> A function named phpcredits() already exists:<br/>
> <br/>
> http://www.php.net/phpcredits<br/>
> <br/>
> Paul<br/>
> <br/>
><br/>
<br/>
-- <br/>
Thanks,<br/>
<br/>
Jimi

[ reply ]

I think the real concern here is that they've put these "hidden little<br/><br/>
gems" in there in the first place. Since no one else seems to want to<br/><br/>
come right out and say it, I'll do it. If that's in there, what else<br/><br/>
is in there that we just haven't found yet?<br/><br/>
<br/><br/>
A photograph of someone's dog in and of itself isn't very threatening.<br/><br/>
However, when you expect your system and and application to be fairly<br/><br/>
secure and you find something like this, you have to wonder what else<br/><br/>
is there that's also not "public".<br/><br/>
<br/><br/>
Does this mean that if I go join up on the PHP developers mailing<br/><br/>
lists/forums that I can find out about other stuff that might enable<br/><br/>
me to compromise a widely used e-commerce application like osCommerce?<br/><br/>
or nukeCommerce? or phpShop? or X-cart? or any of the other scads of<br/><br/>
both commercial and opensource e-commerce suites that are available.<br/><br/>
<br/><br/>
The only comment I have for the PHP development team is that this is<br/><br/>
_VERY_ uncool.<br/><br/>
<br/><br/>
2 cents,<br/><br/>
<br/><br/>
Jimi<br/><br/>
<br/><br/>
On Tue, 30 Nov 2004 12:24:22 -0600, Paul Fierro <pablo (at) nothing (dot) com [email concealed]> wrote:<br/><br/>
> On 11/30/2004 2:53 AM, exon <exon (at) home (dot) se [email concealed]> wrote:<br/><br/>
> <br/><br/>
> > The code should be removed from PHP altogether since it doesn't exactly<br/><br/>
> > provide much in the way of functionality. Possibly php_credits() could<br/><br/>
> > be added as a function, the way php_info() is now. That way nobody could<br/><br/>
> > glean information unawares, but the info would still be there if you<br/><br/>
> > need it (and it would be much easier to come by).<br/><br/>
> <br/><br/>
> A function named phpcredits() already exists:<br/><br/>
> <br/><br/>
> http://www.php.net/phpcredits<br/><br/>
> <br/><br/>
> Paul<br/><br/>
> <br/><br/>
><br/><br/>
<br/><br/>
-- <br/><br/>
Thanks,<br/><br/>
<br/><br/>
Jimi

[ reply ]

I think the real concern here is that they've put these "hidden little<br/><br/><br/>
gems" in there in the first place. Since no one else seems to want to<br/><br/><br/>
come right out and say it, I'll do it. If that's in there, what else<br/><br/><br/>
is in there that we just haven't found yet?<br/><br/><br/>
<br/><br/><br/>
A photograph of someone's dog in and of itself isn't very threatening.<br/><br/><br/>
However, when you expect your system and and application to be fairly<br/><br/><br/>
secure and you find something like this, you have to wonder what else<br/><br/><br/>
is there that's also not "public".<br/><br/><br/>
<br/><br/><br/>
Does this mean that if I go join up on the PHP developers mailing<br/><br/><br/>
lists/forums that I can find out about other stuff that might enable<br/><br/><br/>
me to compromise a widely used e-commerce application like osCommerce?<br/><br/><br/>
or nukeCommerce? or phpShop? or X-cart? or any of the other scads of<br/><br/><br/>
both commercial and opensource e-commerce suites that are available.<br/><br/><br/>
<br/><br/><br/>
The only comment I have for the PHP development team is that this is<br/><br/><br/>
_VERY_ uncool.<br/><br/><br/>
<br/><br/><br/>
2 cents,<br/><br/><br/>
<br/><br/><br/>
Jimi<br/><br/><br/>
<br/><br/><br/>
On Tue, 30 Nov 2004 12:24:22 -0600, Paul Fierro <pablo (at) nothing (dot) com [email concealed]> wrote:<br/><br/><br/>
> On 11/30/2004 2:53 AM, exon <exon (at) home (dot) se [email concealed]> wrote:<br/><br/><br/>
> <br/><br/><br/>
> > The code should be removed from PHP altogether since it doesn't exactly<br/><br/><br/>
> > provide much in the way of functionality. Possibly php_credits() could<br/><br/><br/>
> > be added as a function, the way php_info() is now. That way nobody could<br/><br/><br/>
> > glean information unawares, but the info would still be there if you<br/><br/><br/>
> > need it (and it would be much easier to come by).<br/><br/><br/>
> <br/><br/><br/>
> A function named phpcredits() already exists:<br/><br/><br/>
> <br/><br/><br/>
> http://www.php.net/phpcredits<br/><br/><br/>
> <br/><br/><br/>
> Paul<br/><br/><br/>
> <br/><br/><br/>
><br/><br/><br/>
<br/><br/><br/>
-- <br/><br/><br/>
Thanks,<br/><br/><br/>
<br/><br/><br/>
Jimi

[ reply ]