Security Concern - Jag?

**craig1** · 02-14-2004, 06:54 AM

http://www.linuxdevcenter.com/pub/a/...ecurities.html

I'm specifically concerned about the PHP issue. Could you address this?

**Vin DSL** · 02-14-2004, 01:06 PM

Um... if they turn the globals off, GET and POST data will not be available as variable data. That will force everyone to rewrite all their scripts to use HTTP session variables. I would venture to say, most sites on JagPC, written in PHP, would quite working immediately. Besides, most of the injections written these days will 'work' whether or not globals are turned on or off. So, while one could quip that having globals turned on is an accident waiting to happen, I don't think the turmoil that will result in turning them off will be worth it IMHO.

**XtremeCarAudio** · 02-14-2004, 06:05 PM

Originally posted by Vin DSL
Um... if they turn the globals off, GET and POST data will not be available as variable data. That will force everyone to rewrite all their scripts to use HTTP session variables. I would venture to say, most sites on JagPC, written in PHP, would quite working immediately. Besides, most of the injections written these days will 'work' whether or not globals are turned on or off. So, while one could quip that having globals turned on is an accident waiting to happen, I don't think the turmoil that will result in turning them off will be worth it IMHO.

That is not Excatly True, all the Scripts would have to be Rewritten but not to use sessions but the new "super global" variables, etc

and you can locally change the Global Variables setting on a per User Basis via .htacces

Most scripts are being coded now so that that feature can be turned off,

and if you still code in that fasion, you not writting secure code anyway

**Eric** · 02-14-2004, 06:22 PM

We've tried turning globals off before and the results of turning them off were much worse than what we've seen by keeping them on. I know many software vendors are working to re-code their products to work around globals being off as they should be so we will eventually turn them off in the future. We realize clients can use the .htaccess files to manipulate this variable and we'll just have to deal with those clients who refuse to do so when we do turn globals off.

**XtremeCarAudio** · 02-15-2004, 08:45 AM

Originally posted by Eric_Echter
We've tried turning globals off before and the results of turning them off were much worse than what we've seen by keeping them on. I know many software vendors are working to re-code their products to work around globals being off as they should be so we will eventually turn them off in the future. We realize clients can use the .htaccess files to manipulate this variable and we'll just have to deal with those clients who refuse to do so when we do turn globals off.

ohh I dont fault you for leaving them on, right now I would as well,

after 5 comes out though, I would start thinking about it

**G.Bloke** · 02-15-2004, 09:22 AM

Originally posted by XtremeCarAudio
That is not Excatly True, all the Scripts would have to be Rewritten but not to use sessions but the new "super global" variables, etc

Easier said than done. We're told that $_REQUEST is just as dangerous as relying on globals being registered, yet there are cirumstances where you can't code a script to just use $_POST or $_GET.

Personally I'd much prefer my scripts to solely use POST, as it's much tidier from a users POV but that would mean making every single link into a mini-form.

**Vin DSL** · 02-15-2004, 06:25 PM

Originally posted by G.Bloke
Personally I'd much prefer my scripts to solely use POST, as it's much tidier from a users POV but that would mean making every single link into a mini-form.

Hear! Hear!

**jason** · 02-16-2004, 03:30 PM

If you're concerned, just add the following to your .htaccess file:

php_flag register_globals off

When that warning first came out I retooled my site to make sure I wasn't relying on any "direct" variables anywhere and then tuned the feature off.

--Jason

**Chappy** · 02-17-2004, 12:26 AM

Does someone know of a link right off-hand that discusses cross-site scripting vulnerabilities in plain language. I've read some tutorials/FAQ's that are way past me. I'm not a programmer, by trade or by hobby. But, when I do coding, I do try to pay attnetion to this stuff. So, if anyone knows a good link that has worked on explaining and suggesting improvements, I'd be grateful for it.

Thanks!

**Vin DSL** · 02-17-2004, 05:07 AM

Give this a whirl:

http://www.cgisecurity.com/articles/xss-faq.shtml

If that doesn't float your boat, just do a Google search for 'XSS.' That's how us 'experts' refer to it...

**Chappy** · 02-18-2004, 05:40 AM

Thanks, Vin!

That's the best one I've seen so far. Exactly what I was looking for.

**Vin DSL** · 02-18-2004, 07:33 PM

XSS is trippy, isn't it? Sometimes I launch hex bombs at my own site, just to see what will happen...

**Chappy** · 02-18-2004, 09:08 PM

Yeah, I think that's the direction I'm moving in. I've been pretty conscientious about watching those kinds of things (as much as a non-programmer can be) but these vulnerabilities give me the heeby-jeebies for my site and for the damage they can do. So, I guess I need to try and pay some attention to it (before someone else does).

**Vin DSL** · 02-18-2004, 11:40 PM

Backup! Backup! Backup! That's all I can tell you.

The exploits will never stop --- never! Even if your site is somewhat safe, on a shared server, how about the guy's site sitting next to you on the hard drive, you know?

As I said above, the latest injections don't give a hoot in hell if globals are turned on or off...

LinkBack

Thread Tools

Display

Security Concern - Jag?

Bookmarks

Bookmarks

Posting Permissions