Home  >  Article  >  Backend Development  >  Bit by bit analysis of php global variable vulnerabilities

Bit by bit analysis of php global variable vulnerabilities

WBOY
WBOYOriginal
2016-07-25 08:56:451064browse
  1. if (isset($_REQUEST['GLOBALS']) OR isset($_FILES['GLOBALS'])) {
  2. exit('Request tainting attempted.');
  3. }
Copy code

register_globals is a control option in php, which can be set to off or on. The default is off, which determines whether to register EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. If register_globals is turned on, the data submitted by the client contains the GLOBALS variable name, which will overwrite the $GLOBALS variable on the server. So this code is a judgment. If the submitted data contains the GLOBALS variable name, the program will be terminated.

The security issue caused by this becomes PHP's "automatic global variable vulnerability". Please be sure to turn off the register_globals option. And use $_GET, $_POST, $_COOKIE instead of $_REQUEST.

Discuz! Forum bypasses global variable defense vulnerability

Since the default value of request_order in the php.ini setting of php5.3.x version is GP, global variable defense can be bypassed in Discuz! 6.x/7.x.

In include/global.func.php:

  1. function daddslashes($string, $force = 0) {
  2. !defined('MAGIC_QUOTES_GPC') && define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());
  3. if(!MAGIC_QUOTES_GPC || $force) {
  4. if(is_array($string)) {
  5. foreach($string as $key => $val) {
  6. $string[$key] = daddslashes($val, $force);
  7. }
  8. } else {
  9. $string = addslashes($string);
  10. }
  11. }
  12. return $string;
  13. }
Copy the code in

include/common.inc.php:

  1. foreach(array('_COOKIE', '_POST', '_GET') as $_request) {
  2. foreach($$_request as $_key => $_value) {
  3. $_key{0} ! = '_' && $$_key = daddslashes($_value);
  4. }
  5. }
Copy the code

You can bypass the above code by submitting the GLOBALS variable when register_globals=on.

Prevention methods provided in Discuz!:

  1. if (isset($_REQUEST['GLOBALS']) OR isset($_FILES['GLOBALS'])) {
  2. exit('Request tainting attempted.');
  3. }
Copy code

The value of the $_REQUEST super global variable is affected by request_order in php.ini. In the latest php5.3, the default value of request_order is GP, that is, under the default configuration, $_REQUEST only contains $_GET and $_POST but not $_COOKIE. . GLOBALS variables can be submitted with the help of COOKIE.

Temporary solution: Change the php.ini settings in php 5.3.x and set request_order to GPC.

This is about introducing the loopholes and temporary solutions to global variables in PHP. I hope it will be helpful to everyone.



Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn