I was thinking today, and realized that register_globals being set might cause a flaw in some security. Here are some situations... please let me know your thoughts--

1. Your script has, for example, a log in function. It checks the session variables to see if the user and pass values match what is in the database and then sets $loggedin to 1.
If register globals was on, could the user not just type ...?loggedin=1 and get around the security, claiming to be logged in?

2. less of a security risk, but more of a problem-- what if you have a variable... any variable... in your script and the user put ?thatvar=something in the url? wouldn't that cause errors with execution?

These are really the two examples I can think of, but they are big problems. It seems that just turning off register globals makes the most sense.

Yes indeed register_globals being on is a wide hole of a security risk. Until PHP version 4.2.0, this setting was on by default. The following is a example of exploitable source code


<?php
// ex1.php
if (some condition) {
$loggedin = 1;
}

if ($loggedin == 1) {
// allow access to something important
}
?>

If register_globals is on, a malicious users can pass a parameter, as follows:


www.site.com/ex1.php?loggedin=1.

Since the variable $loggedin was never initialized, the user gains access where they shouldn't.

Here's how the code can be secured.


<?php
// ex2.php

// first initialize the loggedin variable
$loggedin = 0;

if (some or other condition) {
$loggedin = 1;
}

if ($loggedin == 1) {
// allow access to something important
}
?>

If register_globals off, the first script would also be immune from that sort of attack. Rather, the variable would only be accessible as $_GET['loggedin'], where it can do much less harm.

Right. That's what I thought. Interesting.

It's safe with a decent coding style. All variables should be initialised before use anyway.

However, it's just generally ugly to have request variables cluttering up the global namespace.

Yeah, that is a pain.

But i think there are (were) some big applications like osCommerce that works in the assumption that the register globals are on.

But if it is possible to avoid security risks if it is on better turned it off :D

Wouldnt a better form of login use a DB/txt file to store the users that are loged in, and their ips to distinguish the users? then once the login has been inactive for an hour or so, delete it?

im seeing the flaw in using Get for logins, insead of post which hides the variables.

Yes, but that was just an example. A real situation would probably be a lot more complex than that.

A useful link (http://www.sklar.com/page/article/owasp-top-ten) that present top 10 PHP and the OWASP Top Ten Security Vulnerabilities