Email to security@: Did you guys know you have phpinfo output accessible on your websites?
Me: Yes. It's on purpose. We're an open source project and we believe in transparency.
Email (smugly): Hah! But you probably don't realize your entire git repo is visible!
Me: What, you mean these? <links to github where all php.net sites' sources live>
The first email is forgivable, even appreciation worthy, as it looks like a common vulnerability.
Once you've been told it's not though.... eh?
@pollita "Ha ha! I have access to /etc/passwd on this machine"
"Yes, it's a shell account, you nit-wit. We all do."
@saramg @craigmaloney This reminds me of that story about a new project manager discovering you could "view source" on their corporate web page and see all of their proprietary HTML, js, and css. This caused a chain of events that culminated in the CEO banning Chrome as a web development tool. I'll have to see if I can dig that one up. It's both comical and horrifying.
@zalasur "proprietary HTML, js, and css" the litteral stuff of nightmares.
How does one even start to explain this.
@fractal He had no clue. He just saw the source code out there in the open and immediately went to "We've been hacked!"
Open source. Open community. We are dedicated to building and enriching the PHP community.