October 2008
Monthly Archive
Haunted by register_globals security issues
Yesterday I went to an interview for a new job. As with many programming/developer jobs after a bit of a chat the interviewer and a lead developer gave me a small test on my PHP knowledge.
I was given 3 pieces of paper with some PHP code on them that was intentionally erroneous and given 15 minutes to mark all the errors on them.
Hindsight is a beautiful thing I suppose. After leaving the interview something came to mind that i didnt notice straight away.
The code was using something like this:
// define $loginstatus = true only if user is authenticated
if (login_user()) {
$loginstatus = true;
}
if (login_user()) {
$loginstatus = true;
}
Because we didn’t first initialize the $loginstatus variable as false using:
$loginstatus = false;
the variable might be defined through using the register_globals setting instead, such as from a GET URL query string from a posted form, e.g.
auth.php?loginstatus=1
So, anyone can be seen as authenticated when testing like this!
if ($loginstatus) {
// show logged in stuff
}
// show logged in stuff
}
Oh boy! how dangerous could that be! Even though register_globals had been turned off since PHP 4.2.6 as default, it sould not be taken for granted as when it is turned on can be a security loophole, which is why it’s scheduled for removal.
I cant believe I missed it at the time (although it did come to me afterwards) It’s that easy to create a potentially unsecure application.
As of PHP 6 though this can no longer happen, as the register_globals PHP setting is being removed comletely. Good.
