www.colder.ch - Monday, 03 January 2005 www.colder.ch - Monday, 03 January 2005When on, register_globals will inject your scripts with all sorts of variables, like variables coming from GET or POST method, from sessions and cookies. This setting can make scripts insecure, using the fact that php doesn't require initialization of variables. There is an example here www.php.net/register_globals of that kind of leak. This tiny text will explain another way to get rid of a login security using leaks created by register_global = ON too, but from another point of view.
There are many arrays that are initialized in a bad way, without array();" and just by assigning an index like this :
<?php
$sample["key1"] = "value1";
$sample["key2"] = "value2";
?>
You probably already know that you can access to one char of a string using { } or [ ]
For more informations: http://www.php.net/manual/language.types.string.php#language.types.string.substr
Since php4, using [ ] instead of { } to access any char is deprecated, but still available for compatibility reasons.
<?php
$string = "abcdefgh";
echo $string{2}; // "c"
echo $string{4}; // "e"
echo $string{0};
?>
Is the same as
<?php
$string = "abcdefgh";
echo $string[2]; // "c"
echo $string[4]; // "e"
echo $string[0];
?>
Now what happens if you use non-numerical index?
PHP evaluate the index as 0:
<?php
$string = "abcdefgh";
echo $string["foo"]; // "a"
echo $string[0]; // "a"
?>
You must also notice that if you modify a char with more than one char: only the first char will be used.
<?php
$string = "abcdefgh";
$string[0] = "yzzzzz"; // "ybcdefgh"
$string[0] = "y"
?>
Now, imagine that there is a script that use :
<?php
$admin["user"] = "foo";
$admin["pass"] = "bar";
if($admin["user"] == $_GET["username"] AND $admin["pass"] == $_GET["password"]){
/* Give r00t */
}
?>
It seems quite secure, if you don't have the user and pass of course.
Now what happens if you try to view with : page.php?admin=asdf