What are the most common problems and dangers when enabling 'register_globals' in php?

13

Recently I asked the following question How the file gets $ _POST ?

Based on the comments and the answer I was interested in knowing the main problems and dangers of having this function enabled in php.ini?

    
asked by anonymous 22.09.2014 / 15:56

3 answers

17

With this option on it is possible for the user to define variables in his code at the time of the request, and therefore his code should be written with great care (which does not happen much ...) . An example of vulnerable code:

<?php
// define $authorized = true somente se o usuário for autenticado
if (authenticated_user()) {
    $authorized = true;
}
// Porque nós não inicializamos $authorized como false, ela pode ser
// definida através de register_globals, como usando GET auth.php?authorized=1
// Dessa maneira, qualquer um pode ser visto como autenticado!
if ($authorized) {
    include "/highly/sensitive/data.php";
}
?>

If user enters url www.seudominio.com.br/arquivo.php?authorized=1
Then PHP will interpret the code as follows:

<?php
// Nesse ponto ele ira transformar o $_GET na respectiva variável automaticamente.
$authorized=1
// Essa verificação perde o sentido uma vez que a variável já está como true
if (authenticated_user()) {
    $authorized = true;
}
// Como true e 1 tem o mesmo peso na verificação, ou seja ambos são equivalentes
// Nesse ponto a verificação passaria a exibir os dados para qualquer um que entresse
// Pela URL citada acima.
if ($authorized) {
    include "/highly/sensitive/data.php";
}
?>

Reference and more comments on link

    
22.09.2014 / 18:19
6

Whenever you enable 'register_globals' you are authorizing the entire world, through an http request, to create and subscribe variables in your php script.

Each http request is transformed into a global scope array by php. With this option enabled all the keys in this array are transformed into global-scoped variable names. If you call one of these variables and it is not initialized, it will assume the global value, ie the value of a post or get.

Let's say that's it, you've lost a blank check with your signature and now pray nobody will find the check and fill it out with less than your account.

    
22.09.2014 / 18:49
0

The register globals has been deprecated since version 5.4 because it put many applications at risk.

With it, anyone who calls a URL such as:

mysite.com/teste.php?variavel=value

You could simply set a value for it within your code. There was a lot of attack based on that.

After PHP 5.4, to simulate regiter_globals in case you need to, just use extract (); at the beginning of the code. So all the variables that come by POST or GET already arrive "ready".

The command is very simple: extract();

But use it carefully, okay?

    
15.06.2016 / 15:10