PHP & Apache Help

Rich Caloggero rjc at MIT.EDU
Sun Jul 28 13:45:42 EDT 2002 

Due to security concerns, the PHP developers thought it safer to turn off
the register_globals feature. This feature, and actually a switch/init
variable found in the php.ini file, is now off by default. If you turn it
on, the old behavior will be restored. The problem with this is, for
instance, say you have a script which asks for a login/password and then
sets a variable called "authenticated" to indicate that the user passed the
correct username/password. You could get around this, albeit minimal
security by simply calling the page with something like:
http://www.myhost.com/page.php?authentic=1 and you'd breach the security.

** From the PHP Manual **

Using Register Globals

One feature of PHP that can be used to enhance security is configuring PHP
with
register_globals =
off. By turning off the ability for any user-submitted variable to be
injected into PHP code, you can reduce the amount of variable poisoning a
potential
attacker may inflict. They will have to take the additional time to forge
submissions, and your internal variables are effectively isolated from user
submitted
data.

While it does slightly increase the amount of effort required to work with
PHP, it has been argued that the benefits far outweigh the effort.

Example 5-14. Working without register_globals=off

<?php
if ($username) {  // can be forged by a user in get/post/cookies
$good_login = 1;
}

if ($good_login == 1) { // can be forged by a user in get/post/cookies,
fpassthru ("/highly/sensitive/data/index.html");
}
?>

Example 5-15. Working with register_globals = off

<?php
if($_COOKIE['username']){
// can only come from a cookie, forged or otherwise
$good_login = 1;
fpassthru ("/highly/sensitive/data/index.html");
}
?>
By using this wisely, it's even possible to take preventative measures to
warn when forging is being attempted. If you know ahead of time exactly
where
a variable should be coming from, you can check to see if submitted data is
coming from an inappropriate kind of submission. While it doesn't guarantee
that data has not been forged, it does require an attacker to guess the
right kind of forging.

Example 5-16. Detecting simple variable poisoning

<?php
if ($_COOKIE['username'] &&
!$_POST['username'] &&
!$_GET['username'] ) {
// Perform other checks to validate the user name...
$good_login = 1;
fpassthru ("/highly/sensitive/data/index.html");
} else {
mail("admin at example.com", "Possible breakin attempt",
$_SERVER['REMOTE_ADDR']);
echo "Security violation, admin has been alerted.";
exit;
}
?>
Of course, simply turning off register_globals does not mean code is secure.
For every piece of data that is submitted, it should also be checked in
other
ways.

For more, goto http://www.php.net and search for "register globals" in the
documentation.


                    Rich

More information about the Speakup mailing list