Article:
  Ten Security Checks for PHP, Part 1
Subject:   Register Globals on
Date:   2003-05-22 23:21:49
From:   anonymous2
I am aware of the fact that its a security risk to set the register globals on in php.ini.


But still cant figure out , how a potential bad user can make advantage of that and misuse it.

Full Threads Newest First

Showing messages 1 through 7 of 7.

  • Register Globals on
    2003-05-22 23:55:36  clancymalcolm [View]

    It IS possible to write "secure" PHP applications with register globals turned on - it is just harder than if they were turned off. For example, a couple of years ago I discovered a security flaw in PHPShop where you could bypass their authentication system by passing it some values in the URL that set global variables to fool it in to thinking you were logged in. It was possible to fix this problem by making sure the variables were explicitly unset in the code before checking the authentication, but the problem never would have occurred if register_globals was turned off.

    Hope this helps.

    Cheers,
    Clancy
    • Register Globals on
      2003-05-26 04:42:37  anonymous2 [View]

      Thanks for the reply..
      That means that if and only if the data is being passed vai GET method, the question of security in regard to register globals on, comes into play..
      what if the method used is POST?

      Thanks again for the reply

      Cheers

      • Register Globals on
        2003-05-26 11:13:56  anonymous2 [View]

        Using POST instead of GET does not secure any script at all. Imagine creating your custom form on your local machine and directing the action to http://www.somwhere.net/someaction.php
        • Register Globals on
          2003-09-26 17:58:53  anonymous2 [View]

          how do you turn it on
        • Register Globals on
          2007-03-01 11:52:54  andrwe [View]

          My method for securing where POST data comes from is thus:

          $referer = $_SERVER['HTTP_REFERER'];
          if ($referer != "http://www.domain.com/form.html") {
          echo "nice try!";
          } else {
          process_form();
          }

          Any downside to that (other than having to change the URL upon upload)?
          • Register Globals on
            2007-03-01 14:10:51  Clancy Malcolm | O'Reilly Author [View]

            The value of $_SERVER['HTTP_REFERER'] comes from the Referer header in the HTTP request constructed by the client software. If the client is a regular browser, the referer will probably be set correctly, but the referer request header could be forged by a malicious user.

            Clancy
          • Register Globals on
            2008-07-01 11:13:49  davidrrm [View]

            That's certainly not a certain test though. I could create a program to do the post and it would set HTTP_REFERER to what you are looking for.