professional article on topics like Html,javascript,jquery,php , mysql etc.

Vulnerability by PHP Register Global

if register_globals is on in php.ini, it will turn any value in the URL into a script variable For example, the url http://www.example.com/test.php?login=true&userid=1 will declare $login as a global variable without any script initialization required.

if register_globals directive is turned ON , you can access/set the global variables like $login in url instead of $_POST["login"] or .$_GET["login "]

Problem 

if (isset($_POST['userid'])) {
$login = TRUE;
userid=$_POST['userid'];
}if ($login) {
/* display authorized user information */
}
As you can understand from the following coe that is_authorized_user () is function having some code which return true if a user is valid.

A intruder can simply send the url request  http://www.example.com/test.php?auth=true. In this way whether or not  if (is_authorized_user()) return true $login will be set true because its true in url. and content will be displayed to unauthorized user.

Solution

Always intialize variable in script
$login=false //  this will make $auth false even if it is true in url
if (is_authorized_user()) {
$login = TRUE;
}if ($login) {
/* display content intended only for authorized users */
}

Another example for this,  delete.php?del_user[]=1&del_user[]=2 & register_globals=On
$del_user[] = 95; // add the only desired value
foreach ($del_user as $v) {
mysql_query(“DELETE FROM users WHERE id=”.(int)$v);
}
Above, the list of users to be removed is stored inside the $del_user array, which is supposed
to be created and initialized by the script. However, since register globals is enabled, $del_user
is already initialized through user input and contains two arbitrary values. The value 95 is appended as a third element.

Best way to deal with this is to always initialize your arrays

$del_user = array(); // creates a new empty array, erasing any injected values in the process.
$del_user[] = 95; // add the only desired value
Setting $del_user


Don't worry be brave use best approach

Initialize all variables and to develop with error_reporting set to E_ALL, so that any uninitialized variable won't be overlooked during development.
you cannot simply use ini_set() to turn them off. You must disable the option in php.ini, httpd.conf, or .htaccess.
php constants can also provides very basic protection against register globals but remember very basic they themselves can create some threat :)

Though Register Global  could be a very basic level of threat and as a programmer(any language) you need to always take care of several other big threats things like -  SQL injection, CSRF, session fixation attacks etc. in your code. But still it better to start code by keeping in mind even this kind of basic details.

Good news
PHP 4.2 disabled register globals by default and this feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0. 

More on  PHP Secure Coding 

2 comments:

Setu Bridge said...

You have shared really such a nice information which is helped me so much and I think it will help to many other people.

magento development

Anonymous said...

Cool

Post a Comment

Share This

© 2011 PHP Tweak- advance php,javascript,html article, AllRightsReserved.