PHP security: register globals

<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
$authorized = true;
}

// Because we didn’t first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
include “/highly/sensitive/data.php”;
}
?>

Example #3 Detecting simple variable poisoning

<?php
if (isset($_COOKIE['MAGIC_COOKIE'])) {
    // MAGIC_COOKIE comes from a cookie.
// Be sure to validate the cookie data!

} elseif (isset($_GET[‘MAGIC_COOKIE’]) || isset($_POST[‘MAGIC_COOKIE’])) {

mail(“admin@example.com”, “Possible breakin attempt”, $_SERVER[‘REMOTE_ADDR’]);
echo “Security violation, admin has been alerted.”;
exit;

} else {

// MAGIC_COOKIE isn’t set through this REQUEST

}
?>

Uninitialised variables are dangerous!!

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s