register_global off

[temi]

Quite a lot of application are created which required you to have register global on, most hosting companies prefers to have register global off.

Is there a significant security risk to having register global set to on in php.ini ?

[podja]

I have mine off like most other hosting companies. If the user needs to have them on, he/she can do this by editing the .htaccess file.

[temi]

Podja,
Do you know exactly why its off in the first place?

Well, if they are on than someone with too much time on his hands could hack your site easily. He could inject variables into your script without any problems.

Hi Guys,

Very interesting topic. I was wondering - does the source of the problem lie in applications security flows or in PHP itself? And which globals are the most voulnarable?

Thanks,
Piotrek

The problem isn't in PHP, it's in bad programming.
For instance if register_globals is on then something like this might happen:

The page might be coded like this:

PHP Code:

if ($password=="c3g4H2m") {
$authorised="1";
}
if ($authorised == 1) header(Location: admin.php?login=true);


So when the script links to example.com/index.php?password=c3g4H2m
the user would be taken to admin area (note that this is a poor example since noone should code like this but you'll get the point).
So the script above would take the user to the Admin area if he provides the right password.

But, a hacker (or someone curious enough) might write this into his adress bar: example.com/index.php?authorised=1
He too would be taken to the Admin area.

The problem in the script above is that the $authorised variable was left uninitialized.
So to fix this security risk the code should be:

PHP Code:

$authorised="0";
if ($password=="c3g4H2m") {
$authorised="1";
}
if ($authorised == 1) header(Location: admin.php?login=true);


Thus by initializing the variable it doesn't matter what the hacker wrote since the variable is set to 0 on the first line.

But the safest way is to have register_globals off and than the code should look like this:

PHP Code:

if ($_GET['password']=="c3g4H2m") {
$authorised="1";
}
if ($authorised == 1) header(Location: admin.php?login=true);


So, now your script accepts only the variable specified in the $_GET, and you can leave the $authorised uninitialized since noone can tamper with it.

Also note that the script above is very unsecure and it was written only as an example so noone should use it for an actual login.

[temi]

Melky,
This is and excellent post, it should explain the risk of having register global set to one loud and clear, rep added

Thanks Temi!
Bottom line is that it's best to have register_globals set to off and use associative arrays $_POST and $_GET in your scripts.
If you really have a need to set them to on or you can't change the setting than, make sure that all variables in your code are properly initialized.

Also note that it's quite possible that in the future versions of PHP register_globals will be set to off and that you wan't be able to change it.

Also a few tips:
if you want register_globals on (which I wouldn't recommend)
than you can put this into your .htaccess file:

Code:

php_flag register_globals on

And if you want to set them off (recommended)
than put this into your .htaccess file:

Code:

php_flag register_globals off

Thanks very much Melky! That did explain a lot. And the drawback of globals was as I suspected bad programming not them itself.

I've read that $_GET table is rather not recommended for the reason the variables and values are also passed to the script in the url so they may be hacked the same way you described, right?

So this code:

PHP Code:

if ($_GET['password']=="c3g4H2m") {
$authorised="1";
}
if ($authorised == 1) header(Location: admin.php?login=true);


Can also be hacked writting this:

PHP Code:

script.php?authorised=1


For the same reason would this get me to the control panel as well:

PHP Code:

admin.php?login=true


Correct?

Or is the variable $authorised not accessible from outside the condition if?

And thanks for the tip about .htaccess commend. Do you by any chance know a nice guide to .htaccess managing?

Kind Regards,
Piotrek

No problem Piotrek!
The code you wrote in the first PHP code block wouldn't be hacked by script.php?authorised=1 since I wrote that example for the registered_globals set to off so no outside influence on variables is allowed.
And yes, you could hack the script with admin.php?login=true, but that wasn't the point. I was just giving an example of some kind of access to the admin part.

Don't know about I guide for .htaccess files. I've never found one comprehensive enough. They usually tend give examples for only one group of settings. But when I get some free time, I'll create one.