Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Zorum Portal (PHP)
From: MightyE <mightye () mightye org>
Date: Wed, 29 Jan 2003 15:12:11 -0500
Messer wrote:


Hello MGHz,


In new versions of PHP (PHP 4.2.3 and higher) for reception of values
transmitted to the form it's necessary to write:

$Variable = $HTTP_GET_VARS ['var']; // Request Method - GET
or
$Variable = $HTTP_POST_VARS ['var']; // Request Method - POST


// example: http://host.com/script.php?var1=value1&var2=value2
$Var_1 = $HTTP_GET_VARS['var1'];
$Var_2 = $var2;
// $Var_1 == "value1"
// $Var_2 == ""

Messer.
Actually that's just the default. As per http://www.php.net/manual/tw/configuration.directives.php#ini.register-globals it is still possible to configure PHP to register global variables such as $HTTP_POST_VARS['var'] as root level global variables, where your above example would render $Var_2 == "value2". This is a directive set in the php.ini file, and frequently required for reverse compatibility. Setting register_globals to false in php.ini will circumvent many such attacks, though it may break some scripts. The fact that it now defaults to false will hopefully keep developers using $_POST, $_GET, $HTTP_POST_VARS, and $HTTP_GET_VARS, which is far more secure. 

-MightyE

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]