|
|
Posted by NC on 10/31/07 21:48
On Oct 24, 3:57 am, +mrcakey <mrca...@nospam.nospam> wrote:
>
> I understand that register_globals was turned off by default
> as, unless you initialised it, it could be altered by a
> malicious coder.
>
> What I don't understand is how the $_POST['foo'] form is any
> more secure. Surely Mr Malicious Coder can still just send
> his own version of $_POST['foo']?
>
> Obviously I'm missing something, I just can't figure out what!
What you are missing is a realization that with register_globals = On,
the malicious coder can initialize ANY variable, regardless of whether
the script expects to receive it via CGI.
Let's say, you have something like this:
// Tons of code here...
// The script processes incoming data and, depending on the
// program flow, may or may not initialize the $bar variable.
if (isset($bar)) {
$result = mysql_query("DELETE FROM the_table WHERE bar='$bar'");
}
// Tons of code here too...
Now let's say that register_globals = On and malicious coder
submitted
$_REQUEST['bar'] = '%'. The server receives it and initializes $bar =
'%'. If $bar is not changed elsewhere, the script issues the
following MySQL query:
DELETE FROM the_table WHERE bar='%'
meaning, delete all records from the_table.
Granted, the above example is not a good coding practice, but with
register_globals = Off it is still safe (the malicious user cannot
initialize $bar and thus alter the program flow), while with
register_globals = On it is a security risk.
Cheers,
NC
Navigation:
[Reply to this message]
|