WebApp Sec mailing list archives
Re: PHP and "Register_Globals"
From: "Jim McGarvey" <jim.mcgarvey () interblink com>
Date: Sun, 30 Mar 2003 01:12:44 -0800
On Sat, 29 Mar 2003, Ulrich P. wrote:
- the application is *huge* - no one will pay me for re-writing tons of code :o( do you still think that I should re-write?
I think you need to consider the risk, and whether it justifies the cost. Sometimes long-term costs of maintaining an application can be greatly reduced by spending the time up front implementing sound security practices. But if you have no resources at this time to do more with the application, then it may be best to wait and see, and deal with the costs down the road if the system gets compromised or you decide to extend the functionality and make security updates at that time. While I suggested that you update the code to work with "register_globals off" by manually setting your variables at the top of each php script, that is certainly not the only way to reasonably protect against the register_globals problem. If you understand the problem, you can do a security audit of your own code, looking for anything that could be exploitable. I would focus on parts of the code related to authentication, or any part of the code that does system calls or sql queries. Especially look for instances where an internal variable is set conditionally and can be left unset, since this is where an attacker could set a value which was inadvertently left unset. Spend as much time as you feel is reasonable for the risks involved. Since compromises with "register_globals off" seem rather rare to me, I would not suggest spending a ton of time rewriting the application if you don't have the resources to do so. It is certainly possible to have a secure application even with register_globals on, it's just more work to verify that you have secured it as well as you possibly can. -Jim
Current thread:
- PHP and "Register_Globals" Ulrich P. (Mar 29)
- Re: PHP and "Register_Globals" Adrian (Mar 29)
- Re: PHP and "Register_Globals" shimi (Mar 29)
- Re: PHP and "Register_Globals" Jim McGarvey (Mar 29)
- Re: PHP and "Register_Globals" Ulrich P. (Mar 30)
- Re: PHP and "Register_Globals" Jim McGarvey (Mar 30)
- Re: PHP and "Register_Globals" Jim McGarvey (Mar 29)
- Re: PHP and "Register_Globals" Chris Travers (Mar 29)
- Re: PHP and "Register_Globals" Nasir Simbolon (Mar 30)