Re: PHP global variable overwrites

[dan.crowley () gmail com]

This attack requires php_register_globals to be enabled in php.ini. By default, I believe it is disabled.

However, consider the following code:

<?
if($_POST['password'] == "34lolThisIsAGreatPa$$word#$#"){
$admin = 1;
}

if($admin == 1){
//Do something privileged
}
?>

The problem here is that with php_register_globals on, any GET or POST variable can define a new global variable. 
Therefore, a request to this script like 
"http://www.example.com/example.php?password=thisIsNotTheRightPassword&admin=1"; is dangerous.

PHP will create a global variable called $admin with a value of 1 before running the script, which bypasses the need 
for a correct password, as having the correct password only serves to set $admin to 1.

Hope this helps!

--
Dan Crowley
"None of us is as smart as all of us." - Japanese proverb

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------