register_globals security risk

Re: register_global s security risk

On Thu, 18 May 2006 19:49:07 +0000, Ham Pastrami wrote:[color=blue]
> My hosting provider has register_global s on. How big of a security risk is
> this, and is there a workaround for it if I can't convince them to turn it
> off? At the moment I am running phpbb and mantis on my site.[/color]

It's not a big risk if you don't code for it being on. The risk comes in
using variables like $page when you should be using $_GET["page"]. The
latter cannot be faked, $page could have been set in any number of ways.

So, code sensibly and it doesn't matter whether register_global s is on or
off. Code so that it must be turned on and you're potentially up the
creek.

Cheers,


Andy

--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer
http://www.gphpedit.org | PHP editor for Gnome 2
http://www.andyjeffries.co.uk | Personal site and photos

Re: register_global s security risk

Andy Jeffries wrote:
[color=blue]
> It's not a big risk if you don't code for it being on. The risk comes in
> using variables like $page when you should be using $_GET["page"]. The
> latter cannot be faked, $page could have been set in any number of ways.[/color]

I generally code specifically for it being *off*. e.g.

<?php
if ($_GET['username']=='tom' && $_GET['password']=='secret1')
$loggedin = TRUE;
elsif ($_GET['username']=='dick' && $_GET['password']=='secret2')
$loggedin = TRUE;
elsif ($_GET['username']=='harry' && $_GET['password']=='secret3')
$loggedin = TRUE;

if ($loggedin)
do_super_secret _stuff();
?>

With register_global s switched *on* a visitor can simply pass ?loggedin=1
and they get the secret stuff. So register_global s on can be a *serious*
security risk.

Luckily you can switch it off easily using, for example, .htaccess:

php_value register_global s off

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

Re: register_global s security risk


Ham Pastrami wrote:[color=blue]
> My hosting provider has register_global s on. How big of a security risk is
> this, and is there a workaround for it if I can't convince them to turn it
> off? At the moment I am running phpbb and mantis on my site.[/color]

One has to remember that register_global s is not a security risk in on
itself. The developers of PHP weren't that dumb. What they didn't
anticipate is people using include files as functions. Programmers with
a background in other procedure languages like C just don't do that.
Include files are for loading in definitions, not to cause things to
happen.

Take a look at the code and if there are places the script does
something by including a file. If so, you probably have a
vulnerability somewhere.

Re: register_global s security risk

Toby Inkster wrote:[color=blue]
> Andy Jeffries wrote:
>[color=green]
>> It's not a big risk if you don't code for it being on. The risk
>> comes in using variables like $page when you should be using
>> $_GET["page"]. The latter cannot be faked, $page could have been
>> set in any number of ways.[/color]
>
> I generally code specifically for it being *off*.[/color]

Yup, not only a good idea, it also makes the code more portable.
[color=blue]
> With register_global s switched *on* a visitor can simply pass
> ?loggedin=1 and they get the secret stuff. So register_global s on can
> be a *serious* security risk.[/color]

Hmmz, important values like that are ALWAYS initiated in my scripts.

eg:

$logged_in = false;
if(//some validating){
$logged_in = true;
}

Grtz,
--
Rik Wasmus