Anyone with a fascination for seeing a PHP-powered page make calls to a bunch of PHP scripts got an eyeful from social networking site Facebook over the weekend.
Facebook Opened Its Source Code
Facebook heatedly demanded the removal of its home page source code from a blog, Facebook Secrets, and any other sites that reproduced it over the weekend. Unsecured access to the code allowed people to grab a copy; given the nature of the Internet, plenty of people probably did so.
Nik Cubrilovic pointed out the code's availability in his post at TechCrunch. He cited an anonymous tip that the code had been leaked and reproduced on Facebook Secrets, where it could still be found early Monday morning.
Facebook representatives made a statement and echoed it in a comment on Cubrilovic's post regarding the leak. The official response:
A small fraction of the code that displays Facebook web pages was exposed to a small number of users due to a single misconfigured web server that was fixed immediately. It was not a security breach and did not compromise user data in any way. Because the code that was released only powers the Facebook user interface, it offers no useful insight into the inner workings of Facebook. The reprinting of this code violates several laws and we ask that people not distribute it further.
Cubrilovic noted on his personal blog how PHP sometimes sends back source code in response to a poorly processed request. He listed some ways of securing PHP better, like using mod_security with Apache, and a couple of httpd.conf tweaks to keep another site from making the same exposure Facebook did.
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
iEntry 10th Anniversary
RSS
Archive
