About the Author

Chris Shiflett

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

Catching Up and Keeping Up

I've been very busy since OSCON, so my blog pipeline is full. Hopefully I can properly catch up on some topics I've been meaning to discuss in the next few weeks. If you've been busy like me, you might be wondering how to catch up and keep up with the things that are most important to you. I've found that having my own planet (blog aggregator) has helped tremendously. If your tastes are similar (PHP, web application security, etc.), you might like mine, cleverly (yeah, right) dubbed Planet Chris. Other planets you might find interesting are Planet PHP, Planet Web Security, and Planet MySQL, although I highly recommend creating your own. I haven't found a feed aggregator that compares to the simplicity and elegance of a planet's river of news style, and no existing one is likely to perfectly match your own tastes.

In my absence, one of the most interesting stories was the Facebook leak that was reported on TechCrunch. The interesting part of the story was how badly the leak was explained:

It seems that the cause was Apache and mod_php sending back uninterpreted source code as opposed to output, due to either a server misconfiguration or high load (this is a known issue).

As you can imagine, the "known issue" remark resulted in more than a few raised eyebrows. The author, Nik Cubrilovic took the time to elaborate on his own blog:

PHP has always been notorious for sometimes not processing requests poorly and sending back the source code for pages to the client.

I've been known to sometimes not write poorly. In fact, I'm notorious for it. I've always been notorious for it.

This is my new all your base are belong to us.

Joking aside, this comment fueled a number of posts, including Clay Loveless's fact-filled response and Vidyut Luther's humorous recommendations for avoiding PHP leakage. My favorite comments came from Sean Coates during an episode of the Pro PHP Podcast:

Anyone who's ever set up PHP and Apache knows exactly what happened here.

I love how he says it with a tone that a parent might use with a child, the "you know what you did" tone. He also makes another straightforward observation:

PHP by definition is not at fault, because PHP code didn't run.

It's a shame Terry Chay didn't comment.

About This Post

Catching Up and Keeping Up was posted on Wed, 05 Sep 2007 at 13:55:53 GMT.

5 Comments

1. Dejan Kozina's GravatarDejan Kozina said:

Please take note that your 'Facebook leak' link in the 2nd paragraph is pointing back to shiflett.org - I had to fiddle with the URL to go to TechCrunch.

... and don't you dare to spit out source code to me just 'cause I caught you in error.

Anyway, nice write-up overall.

Wed, 05 Sep 2007 at 18:09:08 GMT Link

2. Chris Shiflett's GravatarChris Shiflett said:

Thanks, Dejan. It has now been fixed.

Wed, 05 Sep 2007 at 18:11:56 GMT Link

3. Andy Dowling's GravatarAndy Dowling said:

PHP code itself can be used to mitigate such risks of misconfiguration. This is particularly useful in a shared server environment, or if you have limited control over your configuration. The following line of code can be included at the start of a PHP script:

<?php <? if (0==1) { ?> <META HTTP-EQUIV="Refresh" Content="0; URL=http://domain.com/plain.html"> <? } ?>

If PHP is runnng (and not confusing 0s with 1s, which it is notorious for), this redirect will be safely ignored. Otherwise, the user is shown a plain html page.

Thu, 06 Sep 2007 at 02:27:46 GMT Link

4. Sean Coates's GravatarSean Coates said:

Andy: that doesn't actually prevent anyone from stealing accidentally-exposed code.

A simple:

<?php echo file_get_contents('http://example.com/exposedscript.php'); ?>

Would do it.

(so would: `curl http://example.com/exposedscript.php`)

S

Thu, 06 Sep 2007 at 18:15:36 GMT Link

5. Andrew's GravatarAndrew said:

Link to the dead PHP Leakage post referenced above:

http://web.archive.org/web/20080214...ng-php-leakage/

Wed, 03 Dec 2008 at 00:03:57 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

ConFoo

10 - 12 Mar 2010

At Hilton Montréal Bonaventure, Montréal, Canada.

South by Southwest

12 - 16 Mar 2010

At Austin Convention Center, Austin, Texas.

Dutch PHP Conference

10 - 12 Jun 2010

At TBD, Amsterdam, Netherlands.

O'Reilly Open Source Convention

19 - 23 Jul 2010

At Oregon Convention Center, Portland, Oregon.

New Comments

RyanTheGreat wrote:

Well, I'm not Chris, but I will do my best to address the questions raised in the comments by Ian...

Posted in Security Corner: Cross-Site Request Forgeries
Chris Shiflett wrote:

Thanks for the kind words, Simon. I'm glad you liked the tutorial. In case it's helpful, here'...

Posted in Webstock
Chris Shiflett wrote:

Hi Robin, I plan to post something about it, but it's going to be hard to express everything i...

Posted in Webstock
Simon Mahony wrote:

Hi Chris, I really enjoyed your workshop on the Evolution of Security at Webstock. I think I g...

Posted in Webstock
Robin Gorry wrote:

Hi Chris, I was wondering if you were going to post how Webstock went for you this year. I li...

Posted in Webstock

Browse Comments

Work and Books

Analog Essential PHP Security HTTP Developer's Handbook