PHP super-globals-overwrite

Description

A common security problem with PHP is the register_globals setting in PHP's configuration file (php.ini). This setting (which can be either On or Off) tells whether or not to register the contents of the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. For example, if register_globals is on, the url http://www.example.com/test.php?id=3 will declare $id as a global variable. This feature is a great security risk, and you should ensure that register_globals is Off for all scripts (as of PHP 4.2.0 this is the default).

Some applications will detect if register_globals is turned off and in that case emulate register_globals by globalizing everything within the _REQUEST array using a code like:

foreach ($_REQUEST as $key => $val) {
      $$key = $val;
   }
Code similar to this is used by many projects to emulate register_globals=on.

Remediation

Review the source code of this script. If register_globals is required for the functionality of this script, make sure that all the variables are properly initialized. However, it is strongly recommended not to rely on register_globals.

References
Severity
Classification
Tags
  • Abuse Of Functionality