The following is the research i did to show what easter eggs PHP had that could be accessed and then prevented form being access by using .htaccess.
Using htaccess to deny access to PHP Easter Eggs
This is a worked example of Rewrite rules. With special forcus on when you need to involve the = or ? in a url with a query which sometimes is recognised just as a url by some parts of mod_rewrite.
Below is some example urls that you can use to test the htaccess file with. Pay special attention to the = ?. Some of these URL will not be recognised as having queries.
Next to each line in the htacces codes is ome numbers that match to the example URLs. The numbers signify which successfully performed a rewrite.
URL Examples:
1 - http://localhost/turnip.php?tool=PHPE9568F36-D428-11d2-A769-00AA001ACF42 (common exploits hits first) 2 - http://localhost/turnip.php=PHPE9568F36-D428-11d2-A769-00AA001ACF42 (this has no query) 3 - http://localhost/turnip.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 4 - http://localhost/=PHPE9568F36-D428-11d2-A769-00AA001ACF42 5 - http://localhost/tmp/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
htaccess code
## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
## your PHP version). See http://www.0php.com/php_easter_egg.php and
## http://osvdb.org/12184 for more information
These success codes are valid on xammp only
#135# RewriteCond %{QUERY_STRING} ^(.)*PHPE9568F36-D428-11d2-A769-00AA001ACF42(.)* [NC] #135# RewriteCond %{QUERY_STRING} .*PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC] #135# RewriteCond %{QUERY_STRING} .*=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC] #135# RewriteCond %{QUERY_STRING} (?=PHP).* [NC] "# PHP Version Probing" #135# RewriteCond %{QUERY_STRING} .*(?=PHP).* [NC] #35# RewriteCond %{QUERY_STRING} ^=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC] #35# RewriteCond %{QUERY_STRING} (&|^){1,1}=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC] #2# RewriteCond %{QUERY_STRING} ^(.)+PHPE9568F36-D428-11d2-A769-00AA001ACF42(.)+ [NC] #none# RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC] #none# RewriteCond %{QUERY_STRING} ^(.*)\?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC] #24# RewriteCond %{REQUEST_URI} .*(=PHP).*[NC] #24# RewriteCond %{REQUEST_URI} .*(?=PHP).*[NC] #24# RewriteCond %{REQUEST_URI} ^(?=PHP).*[NC] #24# RewriteCond %{REQUEST_URI} (.*)(?=PHP).*[NC] #24# RewriteCond %{REQUEST_URI} (^(.*)?=PHP).*[NC] #24# RewriteCond %{REQUEST_URI} .*(=PHP).*[NC] #24# RewriteCond %{REQUEST_URI} (.*)(=PHP).*[NC] #24# RewriteCond %{REQUEST_URI} (^(.*)=PHP).*[NC] #24# RewriteCond %{REQUEST_URI} (PHP).*[NC] #none# RewriteCond %{REQUEST_URI} ^(=PHP).*[NC] #Rewrite rule forced on# RewriteCond %{REQUEST_URI} (?=PHP).* [NC] #Rewrite rule forced on# RewriteCond %{REQUEST_URI} ^.*(?=PHP).*[NC] #RewriteRule ^(.*)$ extra/joomla-fingerprinting.php [L] #RewriteRule ^(.*)$ extra/joomla-fingerprinting.html [L]
These codes are valid on my webserver with Extra Security Including suhosin
# RewriteCond %{QUERY_STRING} ^(.)*PHPE9568F36-D428-11d2-A769-00AA001ACF42(.)* [NC] # RewriteCond %{QUERY_STRING} .*PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC] # RewriteCond %{QUERY_STRING} .*=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC] # RewriteCond %{QUERY_STRING} (?=PHP).* [NC] "# PHP Version Probing" # RewriteCond %{QUERY_STRING} .*(?=PHP).* [NC] #none# RewriteCond %{QUERY_STRING} ^=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC] #none# RewriteCond %{QUERY_STRING} (&|^){1,1}=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC] # RewriteCond %{QUERY_STRING} ^(.)+PHPE9568F36-D428-11d2-A769-00AA001ACF42(.)+ [NC] # RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC] # RewriteCond %{QUERY_STRING} ^(.*)\?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC] #24# RewriteCond %{REQUEST_URI} .*(=PHP).*[NC] #24# RewriteCond %{REQUEST_URI} .*(?=PHP).*[NC] #24# RewriteCond %{REQUEST_URI} ^(?=PHP).*[NC] #24# RewriteCond %{REQUEST_URI} (.*)(?=PHP).*[NC] #24# RewriteCond %{REQUEST_URI} (^(.*)?=PHP).*[NC] #24# RewriteCond %{REQUEST_URI} .*(=PHP).*[NC] #24# RewriteCond %{REQUEST_URI} (.*)(=PHP).*[NC] #24# RewriteCond %{REQUEST_URI} (^(.*)=PHP).*[NC] #24# RewriteCond %{REQUEST_URI} (PHP).*[NC] #none# RewriteCond %{REQUEST_URI} ^(=PHP).*[NC] #Rewrite rule forced on# RewriteCond %{REQUEST_URI} (?=PHP).* [NC] #Rewrite rule forced on# RewriteCond %{REQUEST_URI} ^.*(?=PHP).*[NC] #RewriteRule ^(.*)$ extra/joomla-fingerprinting.php [L] #RewriteRule ^(.*)$ extra/joomla-fingerprinting.html [L]
Selected code for PHP Easter Egg Protection
These rules work on my Xampp:
Database Version: 5.1.33-community Database Collation: utf8_general_ci PHP Version: 5.2.9 Web Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9 Web Server to PHP interface: apache2handler
the rules
RewriteCond %{QUERY_STRING} (?=PHP).* [NC] "# Also PHP Version Probing" RewriteCond %{REQUEST_URI} .*(=PHP).* [NC] RewriteRule ^(.*)$ extra/joomla-fingerprinting.php [L]
The following occurs on my live server with those rules:
Database Version: 5.1.50 Database Collation: utf8_general_ci PHP Version: 5.3.2 Web Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
the rules
1. 404 2. 403 3. shows elephant 4. 403 5. shows elephant