Page 1 of 1
Register_global
Posted: Wed Apr 07, 2004 1:02 am
by S_henry
Can anybody explain to me what is the advantage/disadvantage to make the register_global on/off? Thanx for any response.
Posted: Wed Apr 07, 2004 3:07 am
by JayBird
read this
http://www.sitepoint.com/article/write- ... ts-php-4-2
Why you should have register_globals
off
Mark
Posted: Wed Apr 07, 2004 10:29 pm
by S_henry
Ok. I'll find it out. Actually I just want to know more about system security. Thanx for reply.
Posted: Thu Apr 08, 2004 8:19 am
by dsdsdsdsd
bech100;
I read the link that you sent;
in his first example he:
1) uses the variable $authorized
2) assignes it true or !true;
point about:
1) no one would know that he is using "a u t h o r i z e d" as his variable; before someone could trick his script they would need to know that the toggle wrapper is "a u t h o r i z e d";
2) couldn't he have been more evasive with the flag value if he had used "higjyyjwcjkwjywc" instead of true;
BIG QUESTION could anyone find out that he used "a u t h o r i z e d" for the wrapper and true for the flag value?
thanks
Shannon
Posted: Thu Apr 08, 2004 8:32 am
by JayBird
dsdsdsdsd wrote:bech100;
I read the link that you sent;
in his first example he:
1) uses the variable $authorized
2) assignes it true or !true;
point about:
1) no one would know that he is using "a u t h o r i z e d" as his variable; before someone could trick his script they would need to know that the toggle wrapper is "a u t h o r i z e d";
2) couldn't he have been more evasive with the flag value if he had used "higjyyjwcjkwjywc" instead of true;
BIG QUESTION could anyone find out that he used "a u t h o r i z e d" for the wrapper and true for the flag value?
thanks
Shannon
Its not really the point tho. It is just highlighting how register_globals on is a security flaw
Mark
Posted: Thu Apr 08, 2004 10:26 am
by Roja
dsdsdsdsd wrote:bech100;
I read the link that you sent;
in his first example he:
1) uses the variable $authorized
2) assignes it true or !true;
point about:
1) no one would know that he is using "a u t h o r i z e d" as his variable; before someone could trick his script they would need to know that the toggle wrapper is "a u t h o r i z e d";
2) couldn't he have been more evasive with the flag value if he had used "higjyyjwcjkwjywc" instead of true;
BIG QUESTION could anyone find out that he used "a u t h o r i z e d" for the wrapper and true for the flag value?
thanks
Shannon
You are arguing obscurity - if someone doesnt know, they cant get in. Its a fatal flaw in security to rely on obscurity.
Why?
Your question nails the answer - could anyone find out what he used for the wrapper and the flag value?
If there wasnt logging of repeated attempts, you can brute force it.. and beleive me, its VERY easy to get a few hundred thousand attempts an hour across most broadband connections (arguably a server would have AT LEAST that much connectivity).
In 2-3 days time, say over a holiday weekend, when no one is worried about their server? Boom. Now the attacker knows,and he is in.
But like Bech said.. its not about the relative security of obscure choices - it is about the fundamental security improvement that prevents the NEED for obscurity. Register_globals being on is a major security flaw.
Posted: Thu Apr 08, 2004 1:40 pm
by dsdsdsdsd
bech100, Roja;
nice answers;
thanks;
Shannon Burnett
Posted: Thu Apr 08, 2004 1:51 pm
by McGruff
The specific danger with reg globs on is that a hacker can assign a value to undefined vars in the global scope. Anything not in the global scope is safe. Anything which you assign a value to in the global scope is safe.
So, if you have to write scripts which will run in a reg globs on environment, always develop with E_ALL error reporting to catch any undefined vars (it's best to develop with E_ALL anyway - but turn error reporting down on a live site). If you don't have any undefined vars, reg globs on doesn't present a security risk.
Of course it's always better to switch it off if you can.
And user input always has to be validated.