:[ Welcome ]:
Global Variables
In PHP, variables are automatically created the first time they are used(empty: "") in the code and their type is based on the content in which they are used. That makes it very easy and
comfortable for the programmer.
PHP as a programming language that is most of the time used for web applications, often deals with user input.
Examples:
.form variables
.cookies
.uploaded files
These take the input, process it and return the output.
To handle the input easily, PHP provides you global variables.
Before PHP version 4.1.0 (included 4.1.0), all the variables (Environment, GET, POST, Cookie, and Server) got written into the same namespace. So an attacker was able to put arbitrary variables with arbitrary values into the namespace. If the programmer doesn't initialize the variables in his code, he can't expect that the variable got not changed by an attacker
Example:
<?php
if ($pass == "noidea")
$auth = 1;
...
if ($auth == 1)
echo "Access granted";
?>
if ($pass == "noidea")
$auth = 1;
...
if ($auth == 1)
echo "Access granted";
?>
You can easily bypass the authentification by sending a variables "auth" to the script with the value 1.
After PHP 4.1.0 register_globals is turned OFF by default and variables get written into super global arrays.
If you call the script for example like so:
http://a_website/file.php?variable1=hello&variable2=you
You could use variable1 and variable2 in your script, depending on the web server configuration, like this:
register_globals ON
$variable1
$variable2
//-->only possible if track_vars is on else:
register_globals OFF
$HTTP_GET_VARS['variable1']
$HTTP_GET_VARS['variable2']
$variable1
$variable2
//-->only possible if track_vars is on else:
register_globals OFF
$HTTP_GET_VARS['variable1']
$HTTP_GET_VARS['variable2']
If track_var is on you can use the following arrays:
$HTTP_ENV_VARS or $_ENV
$HTTP_GET_VARS or $_GET
$HTTP_POST_VARS or $_POST
$HTTP_COOKIE_VARS or $_COOKIE
$HTTP_SERVER_VARS or $_SERVER
$HTTP_SESSION_VARS or $_SESSION
$_REQUEST
$HTTP_GET_VARS or $_GET
$HTTP_POST_VARS or $_POST
$HTTP_COOKIE_VARS or $_COOKIE
$HTTP_SERVER_VARS or $_SERVER
$HTTP_SESSION_VARS or $_SESSION
$_REQUEST
track_vars enabled: variables submitted by the user are available both from the global variables and also as elements in the arrays mentioned above
Sometimes you will have problems that a third-party PHP application needs register_globals ON! You can put for examples these lines
php_flag register_globals Off
php_flag track_vars On
php_flag track_vars On
into an .htaccess file to change the settings for only a special program. In the Apache web server configuration has "AllowOverride" be set to "AllowOverride Options"
Under the 'admin/' directory, index.php checks whether the password matches the one in the database after posting the form:
<?php
if ($dbpass == $pass) {
session_register("myname");
session_register("fullname");
session_register("userid");
header("Location: index2.php");
}
?>
if ($dbpass == $pass) {
session_register("myname");
session_register("fullname");
session_register("userid");
header("Location: index2.php");
}
?>
When the passwords match, the variables $myname, $fullname and $userid are registered as session variables. The user then gets redirected to index2.php. Let us see what happens there:
<?php
if (!$PHPSESSID) {
header("Location: index.php");
exit(0);
} else {
session_start();
if (!$myname) session_register("myname");
if (!$fullname) session_register("fullname");
if (!$userid) session_register("userid");
}
?>
if (!$PHPSESSID) {
header("Location: index.php");
exit(0);
} else {
session_start();
if (!$myname) session_register("myname");
if (!$fullname) session_register("fullname");
if (!$userid) session_register("userid");
}
?>
If the session ID has not been set, the user will be directed back to the login screen. If there is a session ID, though, the script will resume the session and will put the previously set session variables into the global scope. Nice. Let us see how we can exploit this. Consider the following URL:
http://example.ch/admin/index2.php?PHPSESSID=1&myname=admin &fullname=joey&userid=admin
The GET variables $PHPSESSID, $myname, $fullname and $userid are created as global variables per default. So when you look at the if-else-structure above, you will notice that the script figures $PHPSESSID is set and that the three variables dedicated to
authorize and identify the user can be set to anything you want. The database has not even been queried.
Was this tutorial helpful? please rate:
You Must Login To Vote
Previous Tutorial | Next Tutorial
Tutorial By Raduce
