The hidden images within PHP

Mattias Geniar, Tuesday, February 21, 2012

This is something I've only just recently found out, but did you know that the logo's of the PHP project are hidden within the PHP source code and can be magically shown using a simple URL string?

When does it work?

This only works when the PHP flag expose_php is set to 'On' in the php.ini configuration. This is the case by default when you take the normal php.ini and don't change it.

That setting adds an HTTP header to every request, showing you that PHP is installed and exposing the PHP version.

# curl -I "https://ma.ttias.be/"
HTTP/1.1 200 OK
Server: nginx
X-Powered-By: PHP/5.3.10
...

That alone should give you reason enough to disable the expose_php setting though. ;-)

How does it work?

If you have a site/server you know that runs PHP, chances are they have the expose_php setting set to On. That means you can simply call the following URLs:

By simply adding these GET parameters (?=GUID) to the URL, you retrieve the logo. Those GUID's are defined in the following functions.

# php -r 'echo php_logo_guid(); '
PHPE9568F34-D428-11d2-A769-00AA001ACF42
# php -r 'echo php_egg_logo_guid(); '             
PHPE9568F36-D428-11d2-A769-00AA001ACF42
# php -r 'echo zend_logo_guid(); '        
PHPE9568F35-D428-11d2-A769-00AA001ACF42

And any of those GUIDs can be used to retrieve an image.



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

itoctopus Wednesday, February 22, 2012 at 18:33 - Reply

Hi Mattias,

I knew about this a few years ago – there’s also many other PHP Easter eggs. Just Google “PHP Easter eggs” and you’ll be surprised of what you’ll see!


Leave a Reply

Your email address will not be published. Required fields are marked *