register_globals exploit session array

Question

I have a PHP script that executes some commands to verify that a user is logged.

if (( isset ($password) && $password!="" && auth($password,$hidden_password)==1) || (is_array($_SESSION) && $_SESSION["logged"]==1 ) ){
    $aff=display("you're logged in);
} else {
    $aff=display("you're not logged in");
}

If register_globals is set to 1 in my php.ini, and want to inject something into the URL to get authenticated every-time, whatever the password is, what can I do?

I already tried:

• site.com/page.php?password=pass&logged=1
• site.com/page.php?password=pass&_SESSION["logged"]=array("1")
• site.com/page.php?password=pass&hidden_password=pass ==> returns "you're not logged in" but the thing is that I don't want to overwrite the Hidden_Password (I need it!)
• I tried to play also with cookies, and other http headers, but with no results

Any hints?

Answer 1

Just tried site.php?_SESSION[logged]=1, and it works!

You can modify globals when register_globals is set to 1, using the GET method.

So yes, don't ever edit this option, if you're sure about it ;)

Answer 2

With this code you can check if register_globals is set to 1 and also check if someone try to overwrite some GLOBALS - if so, the script will reset this and exit:

if ( ini_get( 'register_globals' ) ) {
  if ( isset( $_REQUEST['GLOBALS'] ) ) {
    die( '<a href="https://stackoverflow.com/q/21368051/5201919">$GLOBALS overwrite vulnerability</a>');
  }
  $forbidden = array(
    'GLOBALS',
    '_SERVER',
    'HTTP_SERVER_VARS',
    '_GET',
    'HTTP_GET_VARS',
    '_POST',
    'HTTP_POST_VARS',
    '_COOKIE',
    'HTTP_COOKIE_VARS',
    '_FILES',
    'HTTP_POST_FILES',
    '_ENV',
    'HTTP_ENV_VARS',
    '_REQUEST',
    '_SESSION',
    'HTTP_SESSION_VARS'
  );
  foreach ( $_REQUEST as $name => $value ) {
    if( in_array( $name, $forbidden ) ) {
      header( "HTTP/1.x 500 Internal Server Error" );
      die("SECURITY ERROR trying to overwrite superglobals");
    }
    unset( $GLOBALS[$name] );
  }
}