Hey all, Just a quick question, on my dedicated server do I need registrar_globals enabled or not? The sort of things I am running on my server are things like vBulletin and PHPBB, a link directory and a topsites script. So do I need it enabled and what does it actually do? It is safer to disable it I think right?
Safer to disable but it is impossible to tell you if you *need* it or not because I don't know all the code running on the system. I tend to keep it on because I use it, but again it is safer with it off if you do not need it because guys can try passing exploit or malicious code and if "cookie" cutter scripts are not secured properly it can do some real damage such as 'rm -r /' being passed through global var.... You know what I mean? So if you don't need it then turn it off... So onto the explanation... When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don't know for sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by users and disabling register_globals changes this. Exploit when on: <?php // define $authorized = true only if user is authenticated if (authenticated_user()) { $authorized = true; } // Because we didn't first initialize $authorized as false, this might be // defined through register_globals, like from GET auth.php?authorized=1 // So, anyone can be seen as authenticated! if ($authorized) { include "/highly/sensitive/data.php"; } ?> Code (markup): When register_globals = on, our logic above may be compromised. When off, $authorized can't be set via request so it'll be fine, although it really is generally a good programming practice to initialize variables first. For example, in our example above we might have first done $authorized = false. Doing this first means our above code would work with register_globals on or off as users by default would be unauthorized. Another example is that of sessions. When register_globals = on, we could also use $username in our example below but again you must realize that $username could also come from other means, such as GET (through the URL). Example off or on <?php // We wouldn't know where $username came from but do know $_SESSION is // for session data if (isset($_SESSION['username'])) { echo "Hello <b>{$_SESSION['username']}</b>"; } else { echo "Hello <b>Guest</b><br />"; echo "Would you like to login?"; } ?> Code (markup):
On the security side, if you look in your PHP error log and you find "PHP Notice: Undefined variable:" in it anywhere then you may be vulnerable to this sort of attack. If you are using undefined variables then the attack is only limited by what you do with them. If you don't have a PHP error log already, these settings in your php.ini will give you one: error_reporting = E_ALL display_errors = Off log_errors = On error_log = filename Code (markup): If you don't specify the error_log, PHP will put the errors in your Apache error log. If you have separate Apache error logs for each site on the server then PHP will conveniently log it's errors in the logfile of the site that caused the error.