[28700] in bugtraq
Re: Zorum Portal (PHP)
daemon@ATHENA.MIT.EDU (MightyE)
Thu Jan 30 10:49:26 2003
Message-ID: <3E38359B.6000008@mightye.org>
Date: Wed, 29 Jan 2003 15:12:11 -0500
From: MightyE <mightye@mightye.org>
MIME-Version: 1.0
To: Messer <igmpfrag@dezigner.ru>
In-Reply-To: <203548732.20030129073937@dezigner.ru>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Messer wrote:
>Hello MGHz,
>
>
>
>In new versions of PHP (PHP 4.2.3 and higher) for reception of values
>transmitted to the form it's necessary to write:
>
>$Variable = $HTTP_GET_VARS ['var']; // Request Method - GET
>or
>$Variable = $HTTP_POST_VARS ['var']; // Request Method - POST
>
>
>// example: http://host.com/script.php?var1=value1&var2=value2
>$Var_1 = $HTTP_GET_VARS['var1'];
>$Var_2 = $var2;
>// $Var_1 == "value1"
>// $Var_2 == ""
>
>Messer.
>
Actually that's just the default. As per
http://www.php.net/manual/tw/configuration.directives.php#ini.register-globals
it is still possible to configure PHP to register global variables such
as $HTTP_POST_VARS['var'] as root level global variables, where your
above example would render $Var_2 == "value2". This is a directive set
in the php.ini file, and frequently required for reverse compatibility.
Setting register_globals to false in php.ini will circumvent many such
attacks, though it may break some scripts. The fact that it now
defaults to false will hopefully keep developers using $_POST, $_GET,
$HTTP_POST_VARS, and $HTTP_GET_VARS, which is far more secure.
-MightyE
