PHP Globals
In PHP, variables are automatically created the first time they are used (empty: "") in the code and their type is based on the content and context in which they are used. This makes variables easy to set and use for the developer.
PHP as a programming language that is most of the time used for web applications, often deals with user input.
Example:
- Form variables
- Cookies
- Uploaded files
These take the input, process it and return the output. To handle the input easily, PHP provides a set of global variables.
Before PHP version 4.1.0 (including 4.1.0), all the variables (Environment (ENV), GET, POST, COOKIE, and SERVER) got written into the same namespace. So an attacker was able to put arbitrary variables with arbitrary values into the namespace. If the programmer doesn't initialize the variables in his code, they can't guarantee that the variable hasn't been changed by an attacker.
Example:
<?php
if ($pass == "noidea")
$auth = 1;
// Further logic here
if ($auth == 1)
echo "Access granted";
?>
You can easily bypass the authentification by sending a variables "auth" to the script with the value 1.
After PHP 4.1.0 register_globals is turned OFF by default and variables get written into super global arrays.
If you call the script for example like so:
http://a_website/file.php?variable1=hello&variable2=you
You could use variable1 and variable2 in your script, depending on the web server configuration, like this:
$variable1
$variable2
//-->only possible if track_vars is on else:
register_globals OFF
$HTTP_GET_VARS['variable1']
$HTTP_GET_VARS['variable2']
If track_var is on you can use the following arrays:
$HTTP_GET_VARS or $_GET
$HTTP_POST_VARS or $_POST
$HTTP_COOKIE_VARS or $_COOKIE
$HTTP_SERVER_VARS or $_SERVER
$HTTP_SESSION_VARS or $_SESSION
$_REQUEST
track_vars enabled: variables submitted by the user are available both from the global variables and also as elements in the arrays mentioned above.
Sometimes you will have problems that a third-party PHP application needs register_globals ON! You can put for examples these lines
php_flag track_vars On
into an .htaccess file to change the settings for only a special program. In the Apache web server configuration has "AllowOverride" be set to "AllowOverride Options"
Under the 'admin/' directory, index.php checks whether the password matches the one in the database after posting the form:
<?php
if ($dbpass == $pass) {
session_register("myname");
session_register("fullname");
session_register("userid");
header("Location: index2.php");
}
?>
When the passwords match, the variables $myname, $fullname and $userid are registered as session variables. The user then gets redirected to index2.php. Let us see what happens there:
<?php
if (!$PHPSESSID) {
header("Location: index.php");
exit(0);
} else {
session_start();
if (!$myname) session_register("myname");
if (!$fullname) session_register("fullname");
if (!$userid) session_register("userid");
}
?>
If the session ID has not been set, the user will be redirected back to the login screen. If there is a session ID, though, the script will resume the session and will put the previously set session variables into the global scope. Nice. Let us see how we can exploit this. Consider the following URL:
http://example.ch/admin/index2.php?PHPSESSID=1&myname=admin&fullname=joey&userid=admin
The GET variables $PHPSESSID, $myname, $fullname and $userid are created as global variables per default. So when you look at the if-else structure above, you will notice that the script figures $PHPSESSID is set and that the three variables dedicated to authorize and identify the user can be set to anything you want. The database has not even been queried.
Tutorial by Raduce