Home
Links
 
Home Page
make a choice: Photoshop 7 or Photoshop CS/CS 2
Uncle Gugl - a giant
How to name a Web-site?
Spam - a problem of a century
register_globals=oN? You in danger!
Gathering of statistics on PHP
Transformation XML + XSLT with help Sablotron
Patterns of documents and Perl
The signature or avatars on pkhp
Privatnost` in the Internet
Use of the module for job with patterns
Alternative MIME:: Parser and Email:: Simple
Job with sessions in perl
Creation of dynamic forms with help JavaScript
*.JS when to be loaded you think?
Module CGI.pm
XML in 10 theses
Platformo-independent dynamic site - a myth or a reality?
Something about WAP
 
topic


register_globals=oN? You in danger!

Hello dear the web designer, clause{article} narrates about why it is dangerous to leave an option register_globals switched on. You, probably, heard, that use of her  can lead to to unsafe job of your program (script). But let's understand, as this option can use in the illegal purposes and as from it to be protected.


What represents register_globals?

It is an option in php.ini which specifies necessity of registration of variables received by method POST or GET in a global file $GLOBALS.


For clearness I shall result an example at register_globals=on.

There is a file "index.php" with contents:



<?

echo $asd. ' - a local variable <br> ';

echo $GLOBALS [' asd ']. ' - the link in a global file $GLOBALS <br> ';

echo $ _GET [' asd ']. ' - $ _GET ["asd"] ';

?>


In an address bar we shall write: index.php? asd=123


Let's receive:



123 - a local variable

123 - the link in a global file $GLOBALS

123 - $ _GET [' asd ']


As we see, created 2 variables: one local (+ the link in $GLOBALS), another in a file $ _GET. Many do not use a file $ _GET in general, they continue to process a variable "$asd" after reception of her  from the outside.

But let's ponder, what for to us "to pollute" a file $GLOBALS? For this purpose we have the special files storing{keeping} the data, transferred{handed} by methods GET (a file $ _GET) and POST (a file $ _POST).


The same example, but at register_globals=off:



- A global variable

- The link in a global file $GLOBALS

123 - $ _GET [' asd ']


T.o. The local variable has not been created and for a manipulation with "$asd" we should use a file $ _GET.


Probably, already now you have changed the opinion about register_globals.

Probably, you should copy something in the programs, but it of that costs{stands}.


And now I shall tell to you as the hacker can use this option in the purposes, i.e. at register_globals=on

I shall start from simple to complex .


Often we see preventions :



Notice: Undefined variable: asd (the name of a variable) in ****


What does it mean? It means, that the variable "$asd" has not been determined obviously.

For example, some people play about similar:



<?

for ($i=0; $i <10; $i ++)

{

$asd. = $ i;

}


echo $asd

?>


I.e. not having defined{determined} a variable, at once start her  to use. The resulted code on idea is not terrible, but reflect, and suddenly this variable "$asd", in a consequence enters the name in a file? For example, we shall write the following in a line of the address: « index.php? asd=LUSER + » also we shall receive: « LUSER 0123456789 ». Well, unless it will be pleasant to see such? I do not think.


We we shall assume write system autentifikacii the user:



<?

if ($ _POST [' login '] == ' login ' ** $ _POST [' pass'] == ' pass')

{

$valid_user=TRUE; // the User correct

}


if ($valid_user)

{

echo ' Hello, the user ';

}

else echo ' In access it refused '

?>


I have resulted obviously holey system, it is necessary to us to write only in an address bar « index.php? valid_user=1 » and we shall receive an inscription « Hello, the user »


It would not happen, if we have written so:



<?

if ($ _POST [' login '] == ' login ' ** $ _POST [' pass'] == ' pass')

{

$valid_user=TRUE; // the User correct

}

else $valid_user=FALSE;


if ($valid_user)

{

echo ' Hello, the user ';

}

else echo ' In access it refused '

?>


I.e. have defined{determined} a variable $valid_user, as FALSE in case of failure.


Let's continue further …

Now use of function IsSet () becomes unsafe, since any can change a variable on ugodnuju to him.


I shall result an example with a sql-injection:



<?

if ($some_conditions) // some conditions

{

$where ='id=3 ';

}


echo $query ='SELECT id, title, description FROM table '

.'WHERE '. (IsSet ($where)? $where:'id=4 ')

?>


In an address bar we shall write: « index.php? where=id=0+UNION+ALL+SELECT+login, +password, +null+FROM+admin+where+login ='admin ' » we shall receive a sql-injection:



SELECT id, title, description FROM table WHERE id=0

UNION ALL SELECT login, password, null FROM admin where login ='admin '


And the hacker receives yours javki and passwords: (


As you see all examples, have holes in protection which can be maintained through switched on register_globals.


To cope similar it is possible if always to define{determine} a variable without dependence from conditions. Or to use inkapsuljaciju variables in functions i.e. when you define{determine} function variables, that inside it{her} will be closed from the outside, for example:



<?

function asd ()

{

// What that actions


if (IsSet ($where))

{

echo $where;

}

else echo ' $where does not exist ';

}

asd ();

?>


Now, if we shall write in an address bar: « index.php? where=123 »

Will give: « $where does not exist »

But it provided that you do not establish a variable $where as global, i.e. « global $where »


I can still more many examples, but I think, that resulted by me to you will be enough for understanding.

I want to say, that all these problems will sink into summers{years} when you establish an option register_globals=off and will try anew all above mentioned examples.


It can be made as in php.ini, but the majority a hosting of providers to you it will not allow, therefore it is necessary to use a file ".htaccess"


We create a file with the name: .htaccess

Let's write down in him :



php_flag register_globals off


And everything, now some safety issues are solved:)


It is a little about the reason of a spelling me this clause{article}:

Personally I never used register_globals = on since it seemed to me is illogical. As I knew, what is it one more "+" to protection. But to the full I did not realize as far as it can be dangerous. There was it when I have decided to write GSMgen - Google SiteMap generator which should work safely and at switched on register_globals. When I started it  to test, at me the shock … was as I like to use function IsSet () I have found in her direct vulnerability, and in process I had to refuse it: (There's nothing to be done …


I very much hope, that this clause{article} will change your opinion be relative register_globals. I think, that in due course a hosting providers will put all register_globals = off by default. But while it no, you know, how with it to struggle;-)





© Web Development Company Conkurent, LLC 2007-2009. All rights reserved.