The hidden images within PHP

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, February 21, 2012

Follow me on Twitter as @mattiasgeniar

This is something I’ve only just recently found out, but did you know that the logo’s of the PHP project are hidden within the PHP source code and can be magically shown using a simple URL string?

When does it work?

This only works when the PHP flag expose_php is set to ‘On’ in the php.ini configuration. This is the case by default when you take the normal php.ini and don’t change it.

That setting adds an HTTP header to every request, showing you that PHP is installed and exposing the PHP version.

# curl -I "/"
HTTP/1.1 200 OK
Server: nginx
X-Powered-By: PHP/5.3.10
...

That alone should give you reason enough to disable the expose_php setting though. ;-)

How does it work?

If you have a site/server you know that runs PHP, chances are they have the expose_php setting set to On. That means you can simply call the following URLs:

By simply adding these GET parameters (?=GUID) to the URL, you retrieve the logo. Those GUID’s are defined in the following functions.

# php -r 'echo php_logo_guid(); '
PHPE9568F34-D428-11d2-A769-00AA001ACF42
# php -r 'echo php_egg_logo_guid(); '             
PHPE9568F36-D428-11d2-A769-00AA001ACF42
# php -r 'echo zend_logo_guid(); '        
PHPE9568F35-D428-11d2-A769-00AA001ACF42

And any of those GUIDs can be used to retrieve an image.



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.