Just tried site.php?_SESSION[logged]=1
, and it works!
You can modify globals when register_globals is set to 1, using the GET method.
So yes, don't ever edit this option, if you're sure about it ;)
質問
I have a PHP script that executes some commands to verify that a user is logged.
if (( isset ($password) && $password!="" && auth($password,$hidden_password)==1) || (is_array($_SESSION) && $_SESSION["logged"]==1 ) ){
$aff=display("you're logged in);
} else {
$aff=display("you're not logged in");
}
If register_globals is set to 1 in my php.ini
, and want to inject something into the URL to get authenticated every-time, whatever the password is, what can I do?
I already tried:
site.com/page.php?password=pass&logged=1
site.com/page.php?password=pass&_SESSION["logged"]=array("1")
site.com/page.php?password=pass&hidden_password=pass
==> returns "you're not logged in" but the thing is that I don't want to overwrite the Hidden_Password (I need it!)Any hints?
解決
Just tried site.php?_SESSION[logged]=1
, and it works!
You can modify globals when register_globals is set to 1, using the GET method.
So yes, don't ever edit this option, if you're sure about it ;)
他のヒント
With this code you can check if register_globals is set to 1 and also check if someone try to overwrite some GLOBALS - if so, the script will reset this and exit:
if ( ini_get( 'register_globals' ) ) {
if ( isset( $_REQUEST['GLOBALS'] ) ) {
die( '<a href="https://stackoverflow.com/q/21368051/5201919">$GLOBALS overwrite vulnerability</a>');
}
$forbidden = array(
'GLOBALS',
'_SERVER',
'HTTP_SERVER_VARS',
'_GET',
'HTTP_GET_VARS',
'_POST',
'HTTP_POST_VARS',
'_COOKIE',
'HTTP_COOKIE_VARS',
'_FILES',
'HTTP_POST_FILES',
'_ENV',
'HTTP_ENV_VARS',
'_REQUEST',
'_SESSION',
'HTTP_SESSION_VARS'
);
foreach ( $_REQUEST as $name => $value ) {
if( in_array( $name, $forbidden ) ) {
header( "HTTP/1.x 500 Internal Server Error" );
die("SECURITY ERROR trying to overwrite superglobals");
}
unset( $GLOBALS[$name] );
}
}