Blog moved to http://karteek.selfdabba.com

Saturday, August 25, 2007

Register ? Globals ? What ???

I deal with little PHP at my work. Some of my teamies also deal with php. One of my teamies who left for some other company, created a great application which is a shopping cart with certain _damn_cool_ features. He used php do some stuff.

Someone else wanted to see that tool again, and another teamie tried installing it on a laptop. He was reading Installation Manual for the application, where I saw one point as .. "Set register_globals to ON"

As a security enthusiast, I always read about "how not to do" a lot. I still remember that most controversial change in php of setting default value for register_globals was changed to ON from OFF. When I came back to the scene, I can smell one thing. One possible security breach. Registering Globals can really go fatal for the application sometimes when the logic is bad.

Consider the following code snippet

<?php
if (authenticated_user()) {
$authorized = true;
}
if ($authorized) {
    include "/highly/sensitive/data.php";
}

?>

In the above snippet (from php.net) if you can see that if the user is authenticated, a variable $authorized is defined with value "true". If value of variable $authorized is true, highly sensitive data is included.

The logic doesn't look flawed from the exoskeleton of the code. But, it is very bad logic to code such kind of application ... especially when register_globals are on.

When register_global are set to on, one can create a variable through a request. Now, if we call the above code as

access.php?authorized=1

What's going to happen now ? If I'm authenticated_user(), fine. I've every right to access the data. If I'm not, $authorized is created with value 1 as we are creating it using our GET request and this gives me access to the sensitive data which I'm not allowed to access. Here, this can be avoided by creating $authorized with value false on top of the code.

You can know more about this security issue at php.net If you are using php << 4.2.0, Don't forget to change the directive register_globals to OFF or take proper care to secure your code. If you are using php >> 4.2.0, you need not worry much about this as the default value is OFF. This directive is going to be removed from php 6 onwards. 

0 responses:

 


Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License.

I'm not a lawyer to tell this in a perfect framed sentence. Frame it by yourself if you are so concerned.
Dont think about the content of this blog. Every byte is owned by its rightful owner.
Rest © 2006-2007 Karteek