phpinfo() Phones Home

Posted on by

So I was doing some client work today when I noticed something somewhat disturbing; phpinfo() has a logo that sends data back to php.net. I’m not sure exactly what the data is, but here’s the offending markup. 


<img border="0" src="?=PHPE9568F34-D428-11d2-A769-00AA001ACF42" alt="PHP Logo" />

The somewhat more disturbing part is that this image also sets a cookie. The cookie appears to hold both my country and the IP address of the requesting agent. 


COUNTRY=USA%2C64.34.176.111

I’ve looked at a few scripts and found that the src of the image file appears to change slightly between installations. I’m sure it’s nothing malicious, but it is a bit odd.

Anyone else know anything about this?

3 thoughts on “phpinfo() Phones Home

  1. It doesn’t phone home. No information is sent to php.net or anywhere else.

    The PHP interpreter on the server sees that GUID and serves back the image data, which is embedded in the PHP executable or Apache/IIS module.

    As for the cookie, I don’t know. Mine does not set a cookie. Seems like that may be some other stuff running on the server, not PHP code per se. Either way, it’s harmless, since cookies can’t be set outside of the domain of the requested page, i.e. it will never be sent to a site other than the one you requested.

  2. You just completely n00b’d all over yourself. That cookie was probably set by PHP.net; the image (which is sent by the PHP interpreter, NOT the PHP web site) sets nothing.

    YOU LOSE. GOOD DAY, SIR.

  3. That’s just how they’re serving the images… the phpinfo() function is likely doing the following:
    examining the GET request for “PHPE9568F34-D428-11d2-A769-00AA001ACF42”,
    clears the output buffer,
    sets the Content-Type headers appropriately
    does a readthrough() of the image file
    and exits.

    The images are served off your local machine, all from the same function…

    This does bring up the concern that this “magic” actually makes the call back to php.net and we can check for that too:

    # /usr/sbin/tcpdump | grep php
    tcpdump: listening on eth0

    3236 packets received by filter
    0 packets dropped by kernel

    < control-c >

    nothing.

    and… to keep the Wonka going:

    IT’S ALL THERE, CLEAR AS CRYSTAL! YOU STOLE FIZZY LIFTING DRINKS; YOU BUMPED INTO THE CEILING WHICH NOW HAS TO BE WASHED AND STERILIZED, SO YOU GET NOTHING!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.