security with globals on

jonchakra5

Greetings!

I am on an isp box with globals on (unfortunately).

I would like to be as security concious as possible. I've been reading up on this subject here and elsewhere, and wonder if safing up my scripts are as easy as making sure all my variables are set and not left to run off and be missused, ie:

if I have a session variable

$_SESSION['foo']

out there, then setting it on each page to

$foo = $_SESSION['foo'];

would protect that variable from being hijacked. Is this correct? And are there any other considerations passed keeping an eye on all availabel variables that are being used in your script?

What else must a security concious fellow do to batten down the hatches?

Thank you for your thoughts and suggestions!!

diego25

Another thing to take into account it this type of code:

if ($password == "something") {
$authenticated = true;
}

// then later on

if ($authenticated) {
print "sensitive data";
}

The problem with this is that even if a hacker doesn't have the right password, he/she can do this:

script.php?authenticated=1

And your script will dumbly print out sensitive data!

Diego

saidbakr

This's very good notice from diego25, becuse with depend on register_global = on and the programer dose not attempt to change the variable identifier, any one may be able to know critical variables inside your script, so using $GET[] or $session[] or any thing like that may be so usefull to hide the really used identifiers .🆒

jonchakra5

Thanks diego25 & saidbakr for your replies!

diego. I am thinking that initializing


$authenticated = false; 

if ($password == "something") { 
$authenticated = true; 
} 

// then later on 

if ($authenticated) { 
print "sensitive data"; 
}

that it is no longer vulnerable to said attack?

Also, is having globals on simply openning valriables up to be defined by anyone, or is there something else to consider like them being able to dump all your variables somehow? Anyone able to lay out what the security risks actually are ?

I really don't have the consept here I fear.

Thanks for the help!

ahundiak

Did you isp give you an account to which you can login on? If so then create a file in your home directory called .htaccess and

<IfModule mod_php4.c>
php_flag register_globals off
</IfModule>

And the problem goes away.

diego25

is having globals on simply openning valriables up to be defined by anyone,

That's one problem...

or is there something else to consider like them being able to dump all your variables somehow?

Well, it depends on how the code is written. If your code relies on some control variables (like $authenticated in the previous example), then the user could exploit that. If your code has something like

if ($debug) {
print_r($$varName);
}

Then with register_globals on, someone could do
script.php?debug=1&varName=GLOBALS

and it would do a var dump 🙂

Another related problem with register_globals on is that you don't know where your variables are coming from. That's why there's $GET, $POST, $COOKIE, $SESSION, etc, so that the coder can get the right value from the right source.

Diego

jonchakra5

Thanks for the replies!!

ahundiak

What exactly does that little tidbit do? Does it change the settings in php.ini? In which case I'd have one po'ed isp. Or does it change the environment just within my folders?

Also when you say "the problem oges away" can you describe what has happened to make it so? Are there other issues that remain different from acually having globals off?

Your insight is greatly appreciated!

diego25

Does the adjustment I made above answer the control variables issue or is there still some squabble between the values you are intending, and the values the attacker might try to introduce?

Another related problem with register_globals on is that you don't know where your variables are coming from. That's why there's $GET, $POST, $COOKIE, $SESSION, etc, so that the coder can get the right value from the right source.

Does using say $_SESSION['foo'] then protect you from an attacker trying to introduce 'foo' through the querystring? Are there other things to do to make sure 'foo' isn't getting in the back door?

Thanks much for you information so far. vary informative!

ahundiak

Putting the line in .htaccess only changes the enviroment for your folders. You may have noticed that when you do a phpinfo you get two columns of data. A local column and a global column. Only the value in the local column will be changed by .htaccess.

So it won't bother your isp at all.

With register_globals = off someone can try

www.yoursite.com?authorized=1

and in your script

if ($authorized)
{
echo 'You are authorized';
}
else
{
echo 'You are NOT authorized';
}

Will produce
You are NOT authorized.

jonchakra5

ahundiak

Thanks for the rundown. One more clarification on what sounds like a nifty little dealy. Am I correct in assuming that using

 <IfModule mod_php4.c> 
php_flag register_globals off 
</IfModule>

in htaccess, it will then produce an environment just as if the php.ini was set with gobals off? Or are there any differences?

Thanks again for your suggestions! This looks to be a very helpful tool!

ahundiak

I believe the two are functionally the same.