Email to security@: Did you guys know you have phpinfo output accessible on your websites?

Me: Yes. It's on purpose. We're an open source project and we believe in transparency.

Email (smugly): Hah! But you probably don't realize your entire git repo is visible!

Me: What, you mean these? <links to github where all sites' sources live>


The first email is forgivable, even appreciation worthy, as it looks like a common vulnerability.

Once you've been told it's not though.... eh?

@pollita "Ha ha! I have access to /etc/passwd on this machine"

"Yes, it's a shell account, you nit-wit. We all do."

@craigmaloney I'll bet you didn't know I can access your homepage using an ordinary web browser!

@saramg @craigmaloney This reminds me of that story about a new project manager discovering you could "view source" on their corporate web page and see all of their proprietary HTML, js, and css. This caused a chain of events that culminated in the CEO banning Chrome as a web development tool. I'll have to see if I can dig that one up. It's both comical and horrifying.

@zalasur @craigmaloney But... wait... what? That's... that's not how that works. That's not how any of that works.

@saramg @craigmaloney Yeah, it was a doozy to read. I can't seem to find the link to it anymore. The story itself is a bit apocryphal but I've worked at enough agencies to believe it's probably happened.

Multiple times, I bet.

@zalasur @craigmaloney Thank god I'm at a point my career that an employer not embracing open source can be an instant deal killer.

@zalasur "proprietary HTML, js, and css" the litteral stuff of nightmares.

How does one even start to explain this.

@fractal He had no clue. He just saw the source code out there in the open and immediately went to "We've been hacked!"

Sign in to participate in the conversation
PHP Community on Mastodon

Open source. Open community. We are dedicated to building and enriching the PHP community.