Security Issues with register_globals on

dmacman1962

Hi All,

I have a post that was resolved but Kudose had pointed out that I must have register_globals turned on and that was a security Issue.

The site is hosted by our ISP and they do have them turned on.

What security issues are there, and what steps can I take to close them on my end?

Thanks,

Don

Nugen

he is probably talking about the global variable rewrite bug that was present in any version of PHP prior to 4.4.1

Here is the snippet of news from the top articale on php.net

This version is a maintenance release, that contains numerous bug fixes, including a number of security fixes related to the overwriting of the GLOBALS array. All users of PHP 4.3 and 4.4 are encouraged to upgrade to this version.

Here is the actual release announcement.
http://www.php.net/release_4_4_1.php

PHP 4.4.1. Release Announcement

The PHP Development Team would like to announce the immediate release of PHP 4.4.1.

This is a bug fix release, which addresses some security problems too. The security issues that this release fixes are:

* Fixed a Cross Site Scripting (XSS) vulnerability in phpinfo() that could lead f.e. to cookie exposure, when a phpinfo() script is accidently left on a production server.
* Fixed multiple safe_mode/open_basedir bypass vulnerabilities in ext/curl and ext/gd that could lead to exposure of files normally not accessible due to safe_mode or open_basedir restrictions.
* Fixed a possible $GLOBALS overwrite problem in file upload handling, extract() and import_request_variables() that could lead to unexpected security holes in scripts assumed secure. (For more information, see here).
* Fixed a problem when a request was terminated due to memory_limit constraints during certain parse_str() calls. In some cases this can result in register_globals being turned on.
* Fixed an issue with trailing slashes in allowed basedirs. They were ignored by open_basedir checks, so that specified basedirs were handled as prefixes and not as full directory names.
* Fixed an issue with calling virtual() on Apache 2. This allowed bypassing of certain configuration directives like safe_mode or open_basedir.
* Updated to the latest pcrelib to fix a possible integer overflow vulnerability announced in CAN-2005-2491.

This release also fixes 35 other defects, where the most important is the the fix that removes a notice when passing a by-reference result of a function as a by-reference value to another function. (Bug #33558).

For a full list of changes in PHP 4.4.1, see the ChangeLog.

This was all after the hardened php project discovered these bugs as well as bugs within phpBB.

Hope that helps.

dmacman1962

Thanks,

I notified our ISP and asked them to update.

Don

Weedpacket

Well, the security issue has been around ever since register_globals was the default behaviour (since PHP4.2 it has been turned off by default). The reasons are given in one of the chapters on security in the manual.