LinkBack URL
About LinkBacks
Reply With QuoteI have mine off like most other hosting companies. If the user needs to have them on, he/she can do this by editing the .htaccess file.
Facilitator
register_global off
Quite a lot of application are created which required you to have register global on, most hosting companies prefers to have register global off.
Is there a significant security risk to having register global set to on in php.ini ?
* Build a shopping cart for your business with eCommerce software UK
* BossCart.com can build you a.
Register your domain names at Velnet
::
Add Eco sites to The Green Directory free of charge.
Use LBS Free PHP Directory Script . Web Hosting Blog
Junior Member
I have mine off like most other hosting companies. If the user needs to have them on, he/she can do this by editing the .htaccess file.
Facilitator
Podja,
Do you know exactly why its off in the first place?
* Build a shopping cart for your business with eCommerce software UK
* BossCart.com can build you a.
Register your domain names at Velnet
::
Add Eco sites to The Green Directory free of charge.
Use LBS Free PHP Directory Script . Web Hosting Blog
Well, if they are on than someone with too much time on his hands could hack your site easily. He could inject variables into your script without any problems.
Hi Guys,
Very interesting topic. I was wondering - does the source of the problem lie in applications security flows or in PHP itself? And which globals are the most voulnarable?
Thanks,
Piotrek
The problem isn't in PHP, it's in bad programming.
For instance if register_globals is on then something like this might happen:
The page might be coded like this:
So when the script links to example.com/index.php?password=c3g4H2mPHP Code:if ($password=="c3g4H2m") {
$authorised="1";
}
if ($authorised == 1) header(Location: admin.php?login=true);
the user would be taken to admin area (note that this is a poor example since noone should code like this but you'll get the point).
So the script above would take the user to the Admin area if he provides the right password.
But, a hacker (or someone curious enough) might write this into his adress bar: example.com/index.php?authorised=1
He too would be taken to the Admin area.
The problem in the script above is that the $authorised variable was left uninitialized.
So to fix this security risk the code should be:
Thus by initializing the variable it doesn't matter what the hacker wrote since the variable is set to 0 on the first line.PHP Code:$authorised="0";
if ($password=="c3g4H2m") {
$authorised="1";
}
if ($authorised == 1) header(Location: admin.php?login=true);
But the safest way is to have register_globals off and than the code should look like this:
So, now your script accepts only the variable specified in the $_GET, and you can leave the $authorised uninitialized since noone can tamper with it.PHP Code:if ($_GET['password']=="c3g4H2m") {
$authorised="1";
}
if ($authorised == 1) header(Location: admin.php?login=true);
Also note that the script above is very unsecure and it was written only as an example so noone should use it for an actual login.
Facilitator
Melky,
This is and excellent post, it should explain the risk of having register global set to one loud and clear, rep added
* Build a shopping cart for your business with eCommerce software UK
* BossCart.com can build you a.
Register your domain names at Velnet
::
Add Eco sites to The Green Directory free of charge.
Use LBS Free PHP Directory Script . Web Hosting Blog
Thanks Temi!
Bottom line is that it's best to have register_globals set to off and use associative arrays $_POST and $_GET in your scripts.
If you really have a need to set them to on or you can't change the setting than, make sure that all variables in your code are properly initialized.
Also note that it's quite possible that in the future versions of PHP register_globals will be set to off and that you wan't be able to change it.
Also a few tips:
if you want register_globals on (which I wouldn't recommend)
than you can put this into your .htaccess file:
And if you want to set them off (recommended)Code:php_flag register_globals on
than put this into your .htaccess file:
Code:php_flag register_globals off
Thanks very much Melky! That did explain a lot. And the drawback of globals was as I suspected bad programming not them itself.
I've read that $_GET table is rather not recommended for the reason the variables and values are also passed to the script in the url so they may be hacked the same way you described, right?
So this code:
Can also be hacked writting this:PHP Code:if ($_GET['password']=="c3g4H2m") {
$authorised="1";
}
if ($authorised == 1) header(Location: admin.php?login=true);
For the same reason would this get me to the control panel as well:PHP Code:script.php?authorised=1
Correct?PHP Code:admin.php?login=true
Or is the variable $authorised not accessible from outside the condition if?
And thanks for the tip about .htaccess commend. Do you by any chance know a nice guide to .htaccess managing?
Kind Regards,
Piotrek
No problem Piotrek!
The code you wrote in the first PHP code block wouldn't be hacked by script.php?authorised=1 since I wrote that example for the registered_globals set to off so no outside influence on variables is allowed.
And yes, you could hack the script with admin.php?login=true, but that wasn't the point. I was just giving an example of some kind of access to the admin part.
Don't know about I guide for .htaccess files. I've never found one comprehensive enough. They usually tend give examples for only one group of settings. But when I get some free time, I'll create one.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Bookmarks