The first mention of this specific “attack vector” was disclosed back in 2004 at the seclists.org webappsec mailing list. It appears that a few of the PHP developers smuggled in hidden URL’s which would show various graphics and credits to the authors of involved in the PHP project. Rumors have circulated around how bad it really is. Most developers doesn’t know of it’s existence, some see it as a funny feature, some mistakes it as being harmless, while others see it as a potential threat to their IT environment. The catch is, there is no publicly available tool to evaluate how bad and widespread the problem really is.