Re: PHP and "Register_Globals"

["Jim McGarvey" <jim.mcgarvey () interblink com>]

On Sat, 29 Mar 2003, Ulrich P. wrote:

> - the application is *huge*
> - no one will pay me for re-writing tons of code :o(
>
> do you still think that I should re-write?

I think you need to consider the risk, and whether it justifies the cost.
Sometimes long-term costs of maintaining an application can be greatly
reduced by spending the time up front implementing sound security practices.
But if you have no resources at this time to do more with the application,
then it may be best to wait and see, and deal with the costs down the road
if the system gets compromised or you decide to extend the functionality and
make security updates at that time.

While I suggested that you update the code to work with "register_globals
off" by manually setting your variables at the top of each php script, that
is certainly not the only way to reasonably protect against the
register_globals problem.  If you understand the problem, you can do a
security audit of your own code, looking for anything that could be
exploitable.  I would focus on parts of the code related to authentication,
or any part of the code that does system calls or sql queries.  Especially
look for instances where an internal variable is set conditionally and can
be left unset, since this is where an attacker could set a value which was
inadvertently left unset.

Spend as much time as you feel is reasonable for the risks involved.  Since
compromises with "register_globals off" seem rather rare to me, I would not
suggest spending a ton of time rewriting the application if you don't have
the resources to do so.

It is certainly possible to have a secure application even with
register_globals on, it's just more work to verify that you have secured it
as well as you possibly can.

-Jim