|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: PHP and "Register_Globals"
Date: Sun Mar 30 2003 - 04:12:44 EST
On Sat, 29 Mar 2003, Ulrich P. wrote:
I think you need to consider the risk, and whether it justifies the cost. Sometimes long-term costs of maintaining an application can be greatly reduced by spending the time up front implementing sound security practices. But if you have no resources at this time to do more with the application, then it may be best to wait and see, and deal with the costs down the road if the system gets compromised or you decide to extend the functionality and make security updates at that time.
While I suggested that you update the code to work with "register_globals off" by manually setting your variables at the top of each php script, that is certainly not the only way to reasonably protect against the register_globals problem. If you understand the problem, you can do a security audit of your own code, looking for anything that could be exploitable. I would focus on parts of the code related to authentication, or any part of the code that does system calls or sql queries. Especially look for instances where an internal variable is set conditionally and can be left unset, since this is where an attacker could set a value which was inadvertently left unset.
Spend as much time as you feel is reasonable for the risks involved. Since compromises with "register_globals off" seem rather rare to me, I would not suggest spending a ton of time rewriting the application if you don't have the resources to do so.
It is certainly possible to have a secure application even with register_globals on, it's just more work to verify that you have secured it as well as you possibly can.
-Jim Received on Sun Mar 30 10:03:42 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:49 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |