Besides acting as another fingerprinting method, unexpected output
like this could cause faults in other application's parsing routines.
For example a brittle front end application that later queries a php
server (that could be influenced to pass along this URL) might crash
any number of ways. This could serve as a simple DOS, or expose
sensitive information if the errors are displayed to the attacker.

Might be a bit of a stretch, but unexpected behavior like this can act
an attack vector in a larger attack.

On Mon, 29 Nov 2004 20:40:41 -0600, Harrison Gladden <hgladden (at) gmail (dot) com [email concealed]> wrote:
> maybe it's me, but i'm failing to see the "big picture" here as far as
> security is concerned. It seems to me that this would only confirm to
> the evil user that yes you are running php, thereby allowing him to
> find php specific vulns?? Or is there something else i'm missing
> here.
>
> ~Harrison
>
>
>
> On Tue, 30 Nov 2004 06:12:00 +0200, Serban Gh. Ghita <serban (at) verasys (dot) ro [email concealed]> wrote:
> > interesting, but very risking. i am wondering if an evil user could exploit
> > this and create hoaxes using this 'easter eggs'
> > i also wonder what impact could have this over the big companies websites
> > that are using php ;-)
> >
> >
> >
> > Serban Gh. Ghita
> > coordonator departament IT
> > VERASYS International
> > serban (at) verasys (dot) ro [email concealed]
> > zamolxe (at) php (dot) net [email concealed]
> > http://www.verasys.ro
> > phone1: +40-251-406.152
> > phone2: +40-251-406.153
> > cell: +40-788.28.29.10
> >
> > ----- Original Message -----
> > From: "Andi McLean" <andi_mclean (at) ntlworld (dot) com [email concealed]>
> > To: <webappsec (at) securityfocus (dot) com [email concealed]>
> > Sent: Sunday, November 28, 2004 3:21 PM
> > Subject: Fwd: PHP Easter Eggs
> >
> > > Hi,
> > >
> > > Does anyone know about the easter eggs in PHP?
> > > I've just found out about them, My trust in PHP has just had a major set
> > back,
> > > as I'm wondering what other easter eggs there are and can any be used to
> > > circumenvent the protection I have on my site.
> > > I feel like I now need to have a look at the source code, to find out what
> > > else is there.
> > >
> > > <anywebsite.that/uses.php>?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
> > >
> > > <anywebsite.thatuses.php>?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
> > >
> > > <anywebsite.thatuses.php>?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
> > >
> > > eg
> > > www.jsane.com/index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
> > > www.jsane.com/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
> > > www.jsane.com/index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
> > >
> > >
> > > Andi
> >
> >
>
>
> --
> ___________________________________
> Harrison Gladden <hgladden (at) gmail (dot) com [email concealed]>
> Computer Engineer & Science Major
> ~Past experience: He who never makes
> mistakes, never did anything that's worth.~
>

[ reply ]

Besides acting as another fingerprinting method, unexpected output<br/>
like this could cause faults in other application's parsing routines.<br/>
For example a brittle front end application that later queries a php<br/>
server (that could be influenced to pass along this URL) might crash<br/>
any number of ways. This could serve as a simple DOS, or expose<br/>
sensitive information if the errors are displayed to the attacker.<br/>
<br/>
Might be a bit of a stretch, but unexpected behavior like this can act<br/>
an attack vector in a larger attack.<br/>
<br/>
On Mon, 29 Nov 2004 20:40:41 -0600, Harrison Gladden <hgladden (at) gmail (dot) com [email concealed]> wrote:<br/>
> maybe it's me, but i'm failing to see the "big picture" here as far as<br/>
> security is concerned. It seems to me that this would only confirm to<br/>
> the evil user that yes you are running php, thereby allowing him to<br/>
> find php specific vulns?? Or is there something else i'm missing<br/>
> here.<br/>
> <br/>
> ~Harrison<br/>
> <br/>
> <br/>
> <br/>
> On Tue, 30 Nov 2004 06:12:00 +0200, Serban Gh. Ghita <serban (at) verasys (dot) ro [email concealed]> wrote:<br/>
> > interesting, but very risking. i am wondering if an evil user could exploit<br/>
> > this and create hoaxes using this 'easter eggs'<br/>
> > i also wonder what impact could have this over the big companies websites<br/>
> > that are using php ;-)<br/>
> ><br/>
> ><br/>
> ><br/>
> > Serban Gh. Ghita<br/>
> > coordonator departament IT<br/>
> > VERASYS International<br/>
> > serban (at) verasys (dot) ro [email concealed]<br/>
> > zamolxe (at) php (dot) net [email concealed]<br/>
> > http://www.verasys.ro<br/>
> > phone1: +40-251-406.152<br/>
> > phone2: +40-251-406.153<br/>
> > cell: +40-788.28.29.10<br/>
> ><br/>
> > ----- Original Message -----<br/>
> > From: "Andi McLean" <andi_mclean (at) ntlworld (dot) com [email concealed]><br/>
> > To: <webappsec (at) securityfocus (dot) com [email concealed]><br/>
> > Sent: Sunday, November 28, 2004 3:21 PM<br/>
> > Subject: Fwd: PHP Easter Eggs<br/>
> ><br/>
> > > Hi,<br/>
> > ><br/>
> > > Does anyone know about the easter eggs in PHP?<br/>
> > > I've just found out about them, My trust in PHP has just had a major set<br/>
> > back,<br/>
> > > as I'm wondering what other easter eggs there are and can any be used to<br/>
> > > circumenvent the protection I have on my site.<br/>
> > > I feel like I now need to have a look at the source code, to find out what<br/>
> > > else is there.<br/>
> > ><br/>
> > > <anywebsite.that/uses.php>?=PHPE9568F36-D428-11d2-A769-00AA001ACF4
2<br/>
> > ><br/>
> > > <anywebsite.thatuses.php>?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
<br/>
> > ><br/>
> > > <anywebsite.thatuses.php>?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
<br/>
> > ><br/>
> > > eg<br/>
> > > www.jsane.com/index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42<br/>
> > > www.jsane.com/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000<br/>
> > > www.jsane.com/index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42<br/>
> > ><br/>
> > ><br/>
> > > Andi<br/>
> ><br/>
> ><br/>
> <br/>
> <br/>
> --<br/>
> ___________________________________<br/>
> Harrison Gladden <hgladden (at) gmail (dot) com [email concealed]><br/>
> Computer Engineer & Science Major<br/>
> ~Past experience: He who never makes<br/>
> mistakes, never did anything that's worth.~<br/>
>

[ reply ]