register_globals is not evil

Thursday, August 11. 2005

During the last months, more and more self proclaimed PHP security experts have started spreading the FUD, that register_globals is evil and that you should always switch it off, when you develop or deploy an application. This has resulted in vendors ignoring or playing down vulnerabilities, which are only exploitable when register_globals is turned on. Even when their own hoster has this option activated, they claim the vulnerability is in PHP's register_globals and not in their application.

I strongly disagree with this kind of argumentation and because I see similiarities with the actions of a certain big software company I usually refer to it as Trustworthy PHPing.

register_globals is not a security vulnerability on it's own. It is however an operation modus, that allows to exploit codepaths that are using not properly initialised variables. Problems with uninitialised variables are older than PHP itself and other languages like C share them. One example for this is the code execution vulnerability in PHP's 4.2.0-4.2.1 fileupload code that I have disclosed in the middle of 2002.

With this in mind, it is of course better for a server owner to switch off register_globals, because it stops exploits against installed web applications. The problem with this is, that hosters have a lot of customers, that use older PHP applications, that only work with register_globals being turned on. If you look at examples like Geeklog you will realise, that these applications are not automatically insecure.

So the message is: switching register_globals to off is a good advise for a "Howto set up a secure PHP server". But under no circumstances should this option be mentioned in a tutorial about writting secure PHP code, because this educates people in the wrong way. They start to believe, that register_globals is turned off everywhere and don't stop to write insecure web applications. My experience with some PHP application vendors in the last months have shown, that this downfall has already started.

It is important to teach people to use E_NOTICE to find uninitialised variables¹ and it is important to teach them, that the PHP world is a very heterogeneous one. It is not enough to write secure code for your very own server. If a PHP application wants to survive in the wild, it must atleast deal correctly with the different combinations of magic_quotes_gpc and register_globals, otherwise it should be completely avoided.

Coming back to register_globals: a secure PHP application should always

be developed with E_NOTICE to catch uninitialised variables¹ (best practice)
deregister global variables if register_globals is activated (additional best practice)
ship a .htaccess file that disables register_globals (to speed up step 2)
tell people to disable register_globals on their servers (to speed up step 2)

¹) It is important to realise that E_NOTICE is not enough to catch not properly initialised variables. It will only find unitialised variables.

<?php

   $allowed_tag[1]='b';

   $allowed_tag[2]='i';

   $allowed_tag[3]='pre';

...

   if (in_array($tag, $allowed_tag)) {

      ... print out the tag ...

?>

It should be obvious, that it is possible to inject f.e. allowed_tag[4]=script without triggering any E_NOTICE. And if it were forbidden_tag it would be possible to set forbidden_tag to a simple string, so that registering the array elements from within the script fails.

<?php

   // pseudo injected through globals

   $forbidden_tag='failing after here';

...

   // fails because it is handled as stringoffset

   $forbidden_tag[1]='script';

...

   if (!in_array($tag, $forbidden_tag)) {

      ... in_array will fail with a warning that ...

      ... forbidden_tag is not an array when attacked ...

?>

Posted by Stefan Esser in Security, PHP at 08:48

Comments (5)

Link to this post

Comments

Display comments as (Linear | Threaded)

#1 Hans Wolters wrote (Link) ()

Deregistering is not considerd best practice imho.

Been working with php a few years and I am still suprised by the fact that people will find any solution to be lazy. Once you setup a form, or make any
variable interaction possible one should understand that it is needed to check user input.

register_global on or off, people will make stupid mistakes, to that I agree.

Hans

posted on Thursday, August 11. 2005

#2 Stefan Esser wrote (Link) ()

Actually it doesn't matter if deregistering is considered best practice or not by some people.

There simply is NO other way to ensure from an application side, that register_globals is turned off.

An application can
a) refuse to work when register_globals is on => user will patch the check away, because he also uses software like Geeklog that requires register_globals=On
b) put as many warnings and .htaccess files into it's directories => this will only work if the httpd is Apache and if Apache is configured in a way, that it actually does not ignore .htaccess files

And from my point of view an application that is only secure when a certain httpd or a certain php.ini file is used is simply unacceptable.

Stefan
ps: allow_url_fopen is another such candidate. People believe that switching it off solves their security problem with remote includes. But that is an illusion. php://input for example is NOT affected by allow_url_fopen at all.

posted on Friday, August 12. 2005

#2.1 Hans Wolters wrote (Link) ()

>There simply is NO other way to ensure from an application side, that >register_globals is turned off.

It can not be assured, I agree. But developers are able to check it and act on it. It can be a choice to let an application not work when it is on but it could also trigger a developer to make sure vars are declared, etc...

From my point of view all these settings help isp's/hosters to make it a little more secure. We all know it can't be avoided that some clever person knows how to make the system work like it was intended. I've been working with some companies that are not able to pay a fulltime developer or even better, a fulltime security officer. Do you have any advise for them?

Regards,

Hans

posted on Sunday, August 14. 2005

#2.1.1 Stefan ()

I have fixed the PHP Manual at http://www.php.net/faq.misc

When the manual is the next time generated there will actually be a safe unregister_GLOBALS() function. People just need to advocate that every applications makes use of it. Cut and pasting that can be done in the same time as editing .htaccess or php.ini or httpd.conf. With the difference that once you have this function in your app your application is register_globals safe everywhere.

Please note: Until the manual is generated the next time the code mentioned there as register_globals=Off emulation is simply unsafe.

ps: In one of the next days I will give out a speed and memory usage improved version of this function.

posted on Monday, August 15. 2005

#2.2 Hans Spaans ()

I like the fact you mention about url_fopen, it once again highlights the fact that you shouldn't trust on applications and the people who create them. Its always wise to make a design redundant and a common design error is to limit the design to the customer needs only and ignores in most situations the infrastructure.

The infrastructure gives you the power to limit and reduce (possible) problems. You can limit possible input to the application by using reversed proxies/mod_security, you can also use firewall rules to limit incoming traffic, but also outgoing traffic (I would love to see someone bypassing firewall rules when they abuse fopen). And there is also the option in many operating systems to reduce access to system resources.

But this all shouldn't make people less alert to any problems, please keep up the good work.

posted on Monday, August 15. 2005

Add Comment

Name:

Email:

Homepage:

In reply to:

Comment:

Standard emoticons like :-) and ;-) are converted to images.

Remember Information?
Subscribe to this entry

Calendar