Page 1 of 1

register_globals and query string question

Posted: Mon Apr 24, 2006 12:16 pm
by MrHamburger
If I were to use the following code to keep out unauthenticated users (users must provide login/pass at another page):

Code: Select all

<?php
  	session_start();

  	// check session variable

  	if (isset($_SESSION['log'])) {
                     //content of page
                     //stuff for logged in user
        }
        else {
                    echo "you must log in to see this page";
        }
?>

and register_globals is left on, shouldn't an unlogged in (ab)user be able to get access the content of page by passing "?log=1" (or something thereabouts) in a query string?

Thanks for the help!

Posted: Mon Apr 24, 2006 12:21 pm
by feyd
no.

Posted: Mon Apr 24, 2006 1:21 pm
by R4000
Nope, your script covers for that well :)

if you used:

Code: Select all

<?php
        session_start();

        // check session variable

        if (isset($log)) {
                     //content of page
                     //stuff for logged in user
        }
        else {
                    echo "you must log in to see this page";
        }
?> 
Then ?log=1 would get around it...

Posted: Mon Apr 24, 2006 1:44 pm
by MrHamburger
Hmm...thanks. I've been reading the PHP Security Consortium Security Guide (http://phpsec.org/projects/guide/) section about Sessions and am trying to figure out how the design in my original post could be compromised...is there an obvious way to crack it that I don't see??