About the Author

Chris Shiflett

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

Catching Up and Keeping Up

I've been very busy since OSCON, so my blog pipeline is full. Hopefully I can properly catch up on some topics I've been meaning to discuss in the next few weeks. If you've been busy like me, you might be wondering how to catch up and keep up with the things that are most important to you. I've found that having my own planet (blog aggregator) has helped tremendously. If your tastes are similar (PHP, web application security, etc.), you might like mine, cleverly (yeah, right) dubbed Planet Chris. Other planets you might find interesting are Planet PHP, Planet Web Security, and Planet MySQL, although I highly recommend creating your own. I haven't found a feed aggregator that compares to the simplicity and elegance of a planet's river of news style, and no existing one is likely to perfectly match your own tastes.

In my absence, one of the most interesting stories was the Facebook leak that was reported on TechCrunch. The interesting part of the story was how badly the leak was explained:

It seems that the cause was Apache and mod_php sending back uninterpreted source code as opposed to output, due to either a server misconfiguration or high load (this is a known issue).

As you can imagine, the "known issue" remark resulted in more than a few raised eyebrows. The author, Nik Cubrilovic took the time to elaborate on his own blog:

PHP has always been notorious for sometimes not processing requests poorly and sending back the source code for pages to the client.

I've been known to sometimes not write poorly. In fact, I'm notorious for it. I've always been notorious for it.

This is my new all your base are belong to us.

Joking aside, this comment fueled a number of posts, including Clay Loveless's fact-filled response and Vidyut Luther's humorous recommendations for avoiding PHP leakage. My favorite comments came from Sean Coates during an episode of the Pro PHP Podcast:

Anyone who's ever set up PHP and Apache knows exactly what happened here.

I love how he says it with a tone that a parent might use with a child, the "you know what you did" tone. He also makes another straightforward observation:

PHP by definition is not at fault, because PHP code didn't run.

It's a shame Terry Chay didn't comment.

About This Post

Catching Up and Keeping Up was posted on Wed, 05 Sep 2007 at 13:55:53 GMT.

4 Comments

1. Dejan Kozina's GravatarDejan Kozina said:

Please take note that your 'Facebook leak' link in the 2nd paragraph is pointing back to shiflett.org - I had to fiddle with the URL to go to TechCrunch.

... and don't you dare to spit out source code to me just 'cause I caught you in error.

Anyway, nice write-up overall.

Wed, 05 Sep 2007 at 18:09:08 GMT Link

2. Chris Shiflett's GravatarChris Shiflett said:

Thanks, Dejan. It has now been fixed.

Wed, 05 Sep 2007 at 18:11:56 GMT Link

3. Andy Dowling's GravatarAndy Dowling said:

PHP code itself can be used to mitigate such risks of misconfiguration. This is particularly useful in a shared server environment, or if you have limited control over your configuration. The following line of code can be included at the start of a PHP script:

<?php <? if (0==1) { ?> <META HTTP-EQUIV="Refresh" Content="0; URL=http://domain.com/plain.html"> <? } ?>

If PHP is runnng (and not confusing 0s with 1s, which it is notorious for), this redirect will be safely ignored. Otherwise, the user is shown a plain html page.

Thu, 06 Sep 2007 at 02:27:46 GMT Link

4. Sean Coates's GravatarSean Coates said:

Andy: that doesn't actually prevent anyone from stealing accidentally-exposed code.

A simple:

<?php echo file_get_contents('http://example.com/exposedscript.php'); ?>

Would do it.

(so would: `curl http://example.com/exposedscript.php`)

S

Thu, 06 Sep 2007 at 18:15:36 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

php|tek

21 - 23 May 2008

At Sheraton Gateway Suites Chicago O'Hare, Chicago, Illinois.

DC PHP Conference

02 - 04 Jun 2008

At Cafritz Conference Center, Washington, District of Columbia.

O'Reilly Open Source Convention

21 - 25 Jul 2008

At Oregon Convention Center, Portland, Oregon.

ZendCon

15 - 18 Sep 2008

In Santa Clara, California.

PHP Appalachia

11 - 14 Oct 2008

At Big Bear Lodge, Gatlinburg, Tennessee.

New Comments

Joseph Crawford wrote:

404 not found :( What's with this OpenID thing, you know how long it took me to figure out I h...

Posted in Zend Framework Tutorial
Laurent Cottereau wrote:

I am very interested in the possibilities of this service. However, I am wondering about what is ...

Posted in OpenID with myVidoop
Zac wrote:

Awesome code! Thanks!

Posted in Convert Smart Quotes with PHP
Muttley wrote:

Thanks for this, Shiffers. I've been working on a similar thing, using a similar method, so it's ...

Posted in Allowing HTML and Preventing XSS
hossein wrote:

Hi! May you give me an example how to use mcrypt_encrypt() in order to save passwrod in databa...

Posted in OpenID with myVidoop

Browse Comments