Why is register_globals = On a security risk?

Leave a reply

A question from comp.lang.php:

I understand that register_globals was turned off by default as, unless you initialised it, it could be altered by a malicious coder.

What I don’t understand is how the $_POST[‘foo’] form is any more secure. Surely Mr Malicious Coder can still just send his own version of $_POST[‘foo’]?

Obviously I’m missing something, I just can’t figure out what!

What you are missing is a realization that with register_globals = On, the malicious coder can initialize ANY variable, regardless of whether the script expects to receive it via CGI.

Let’s say, you have something like this:

// Tons of code here...
// The script processes incoming data
// and, depending on the program flow,
// may or may not initialize the $bar
// variable.
if (isset($bar)) {
  $query = "DELETE FROM the_table WHERE bar='$bar'";
  $result = mysql_query($query);
}
// Tons of code here too...

Now let’s say that register_globals = On and malicious coder submitted:

$_REQUEST['bar'] = "' OR bar LIKE '%"

The server receives it and initializes:

$bar = "' OR bar LIKE '%"

If $bar is not changed elsewhere, the script issues the following MySQL query:

DELETE FROM the_table WHERE bar='' OR bar LIKE '%'

meaning, delete all records from the_table.

Granted, the above example is not a good coding practice, but with register_globals = Off it is still safe (the malicious user cannot initialize $bar and thus alter the program flow), while with register_globals = On it is a security risk.

Leave a Reply

Your email address will not be published. Required fields are marked *