Wang Products

News: The PHP Easter Egg - is it a security flaw?

There is an interesting little Easter Egg that is present in versions of PHP 4.x and 5.x, which allows you to view an image of a dog (or in some cases a rabbit apparently) on almost any website/server that is using PHP.

For those who are unfamiliar with the term "Easter Egg" - it basically refers to a surprise feature which is not apparent, but when clicked on does something special. Sometimes a Easter Egg takes the form of an extra level in a game or an animation message of some kind. Programmers sometimes bury Easter Eggs in their programs or web sites to add extra depth and challenge users to find them.

The PHP Easter Egg was widely reported on sites such as digg.com today, but has been present (and reported) for some time. To access the Easter Egg all you need to do is append the following string to any URL that is a PHP page:

?=PHPE9568F36-D428-11d2-A769-00AA001ACF42

For example:

http://www.php.net/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42

This URL should cause you to see a hidden picture of a dog. In some cases you may see pictures of other things, or even different dogs - it all depends on the version of PHP that is installed on the web server. This is obviously a cool little discovery - but the question that it brought to mind for me was....is this a security flaw?

The reason for my concern is that a large number of server administrators go to great lengths to try and hide the fact that PHP is installed on their server. They do this to try and provide attackers with less information about the server during any vulnerability scans/probes they might be performing. Techniques they use to "hide" the presence of PHP on the server include changing the .php file extension to something different, and also setting a variable called expose_php to off in the php.ini configuration file (which prevents PHP from announcing its presence in the HTTP headers the servers sends).

My concern was that perhaps this Easter Egg could be a way for attackers to identify the presence of PHP on the server, even if the administrator had taken other precautions to prevent this! But...I was proved wrong :) It seems the PHP developers have done a good job, and they have made it so that this Easter Egg only works if expose_php is enabled in the php.ini file (which it is by default).

So there we have it :) A cool Easter Egg which will work on all PHP 4.x and 5.x servers that have expose_php enabled :) Enjoy!
Comments
Comment by foamy the squirrel - 25-07-2006

right so what you are saying is if web admins havent disabled expose_php on php ver 4.x - 5.x you can see easter egg style pics and verify that they are using those two versions of php. Cool



Comment by Olivier - 26-07-2006

Yes the string is defined here in the code of PHP
http://lxr.php.net/source/php-src/ext/standard/info.h#54



Comment by shadow.net - 25-09-2006

how would i obtain the php page?



Comment by John - 10-01-2007

Theres another one or two, I do believe the PHP image is generated to support php_info().



Post a comment

Please use the form below to post your comments on this article. All comments will be reviewed by the admin before being published publically.


Your Name
Comment
  Please enter the code from the image below into the code box

Code
 

Valid XHTML 1.0! Valid CSS!

Wang Products Articles Security News and Articles/FAQs Wang Products Software Guitar MP3 tracks by Wang Links