About the Author

Chris Shiflett

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

Catching Up and Keeping Up

I've been very busy since OSCON, so my blog pipeline is full. Hopefully I can properly catch up on some topics I've been meaning to discuss in the next few weeks. If you've been busy like me, you might be wondering how to catch up and keep up with the things that are most important to you. I've found that having my own planet (blog aggregator) has helped tremendously. If your tastes are similar (PHP, web application security, etc.), you might like mine, cleverly (yeah, right) dubbed Planet Chris. Other planets you might find interesting are Planet PHP, Planet Web Security, and Planet MySQL, although I highly recommend creating your own. I haven't found a feed aggregator that compares to the simplicity and elegance of a planet's river of news style, and no existing one is likely to perfectly match your own tastes.

In my absence, one of the most interesting stories was the Facebook leak that was reported on TechCrunch. The interesting part of the story was how badly the leak was explained:

It seems that the cause was Apache and mod_php sending back uninterpreted source code as opposed to output, due to either a server misconfiguration or high load (this is a known issue).

As you can imagine, the "known issue" remark resulted in more than a few raised eyebrows. The author, Nik Cubrilovic took the time to elaborate on his own blog:

PHP has always been notorious for sometimes not processing requests poorly and sending back the source code for pages to the client.

I've been known to sometimes not write poorly. In fact, I'm notorious for it. I've always been notorious for it.

This is my new all your base are belong to us.

Joking aside, this comment fueled a number of posts, including Clay Loveless's fact-filled response and Vidyut Luther's humorous recommendations for avoiding PHP leakage. My favorite comments came from Sean Coates during an episode of the Pro PHP Podcast:

Anyone who's ever set up PHP and Apache knows exactly what happened here.

I love how he says it with a tone that a parent might use with a child, the "you know what you did" tone. He also makes another straightforward observation:

PHP by definition is not at fault, because PHP code didn't run.

It's a shame Terry Chay didn't comment.

About This Post

Catching Up and Keeping Up was posted on Wed, 05 Sep 2007 at 13:55:53 GMT.

5 Comments

1. Dejan Kozina's GravatarDejan Kozina said:

Please take note that your 'Facebook leak' link in the 2nd paragraph is pointing back to shiflett.org - I had to fiddle with the URL to go to TechCrunch.

... and don't you dare to spit out source code to me just 'cause I caught you in error.

Anyway, nice write-up overall.

Wed, 05 Sep 2007 at 18:09:08 GMT Link

2. Chris Shiflett's GravatarChris Shiflett said:

Thanks, Dejan. It has now been fixed.

Wed, 05 Sep 2007 at 18:11:56 GMT Link

3. Andy Dowling's GravatarAndy Dowling said:

PHP code itself can be used to mitigate such risks of misconfiguration. This is particularly useful in a shared server environment, or if you have limited control over your configuration. The following line of code can be included at the start of a PHP script:

<?php <? if (0==1) { ?> <META HTTP-EQUIV="Refresh" Content="0; URL=http://domain.com/plain.html"> <? } ?>

If PHP is runnng (and not confusing 0s with 1s, which it is notorious for), this redirect will be safely ignored. Otherwise, the user is shown a plain html page.

Thu, 06 Sep 2007 at 02:27:46 GMT Link

4. Sean Coates's GravatarSean Coates said:

Andy: that doesn't actually prevent anyone from stealing accidentally-exposed code.

A simple:

<?php echo file_get_contents('http://example.com/exposedscript.php'); ?>

Would do it.

(so would: `curl http://example.com/exposedscript.php`)

S

Thu, 06 Sep 2007 at 18:15:36 GMT Link

5. Andrew's GravatarAndrew said:

Link to the dead PHP Leakage post referenced above:

http://web.archive.org/web/20080214...ng-php-leakage/

Wed, 03 Dec 2008 at 00:03:57 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

php|tek

19 - 22 May 2009

At Sheraton Gateway Suites Chicago O'Hare, Chicago, Illinois.

OSCON

20 - 24 Jul 2009

At San Jose McEnery Convention Center, San Jose, California.

New Comments

Ronald wrote:

A little hard for a rookie like me, but useful. I also thought you'd like to know there is a grea...

Posted in A rev="canonical" HTTP Header
Alex wrote:

Aren't you forgetting that the session will expire if _write() is never called? That excludes ...

Posted in
Andy Mabbett wrote:

@Chris Shiflett, #4, belatedly: Google only accepts rel=canonical within the same domain. My s...

Posted in A rev="canonical" HTTP Header
Kenneth Udut wrote:

I've implemented this rev="canonical" idea on http://free.naplesplus.us in the hopes that it catc...

Posted in Save the Internet with rev="canonical"
Mark wrote:

After reading your article and all the comments, what I got out of this was that sessions are not...

Posted in

Browse Comments