13
I recently asked the following question How the file receives the $_POST?
Based on the comments and the answer I was interested to know the main problems and dangers of having this function enabled in php.ini?
3 answers
17
With this option enabled it is possible for the user to define variables in his code at the time of the request, and therefore his code should be written with very carefully (which doesn’t happen much...). An example of vulnerable code:
<?php
// define $authorized = true somente se o usuário for autenticado
if (authenticated_user()) {
$authorized = true;
}
// Porque nós não inicializamos $authorized como false, ela pode ser
// definida através de register_globals, como usando GET auth.php?authorized=1
// Dessa maneira, qualquer um pode ser visto como autenticado!
if ($authorized) {
include "/highly/sensitive/data.php";
}
?>
If the user enters with the url www.seudominio.com.br/arquivo.php?authorized=1
Then PHP will interpret the code as follows:
<?php
// Nesse ponto ele ira transformar o $_GET na respectiva variável automaticamente.
$authorized=1
// Essa verificação perde o sentido uma vez que a variável já está como true
if (authenticated_user()) {
$authorized = true;
}
// Como true e 1 tem o mesmo peso na verificação, ou seja ambos são equivalentes
// Nesse ponto a verificação passaria a exibir os dados para qualquer um que entresse
// Pela URL citada acima.
if ($authorized) {
include "/highly/sensitive/data.php";
}
?>
Reference and more comments on http://php.net/manual/en/security.globals.php
6
Whenever you enable register_globals you are authorizing the entire world, through an http request, to create and subscribe variables in your php script.
Each http request is transformed into a global scope array by php. With this option enabled all keys in this array are transformed into variable names with global scope. If you call one of these variables and it is not initialized, it will assume the value of the global, that is the value of a post or get.
Let’s just say, you lost a blank check with your signature and now you pray no one finds the check and fills it up with a lower amount than you have in the account.
0
The Globals Register has been deactivated since version 5.4, as it put many applications at risk.
With it, anyone who called a URL as for example:
meusite.com/test.php? variable=value
Simply could already set a value for it within its code. There was a lot of attack based on this.
After PHP 5.4, to simulate regiter_globals if you need to, just use the Extract() command at the beginning of the code. So all the variables that come by POST or GET already arrive "ready".
The command is very simple:
extract();
But use it carefully, okay?
Browser other questions tagged php security-guard
You are not signed in. Login or sign up in order to post.