Re: [PHP] Register globals off, still not secure?
Friday, April 30, 2004, 5:37:15 PM, thus was written: Hi, Even with register globals off isn't it possible to have a webpage like this: Not sure what you are asking. You can have a webpage like this. And I guess it even does what it should - print the information. html head /head h2Hello, ?php echo $_SERVER['PHP_AUTH_USER']; ? pI know your password is ?php echo $_SERVER['PHP_AUTH_PW']; ? body /body html Is there a way to make sure apache doesn't set the $SERVER['PHP_AUTH_PW '] global? No, there is no way. The docs state that those Superglobals are always set. But I wouldn't necessarily say that this is insecure: A user does not have access to those superglobals, except he managed to sneak in some code onto your server - but then you'd have a problem somewhere else. register_globals was intended as a shortcut for lazy programming (my biased opinion only!) to automagically have $PHP_AUTH_PW, etc available. That way some user would have been able to set this variable easily, e.g. with a GET request. No way to directly set a superglobal though by conventional means. Richard -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals off, still not secure?
Thanks for the response. I basically have an environment analogous to an internal ISP. A lot of corporate users that have the ability to make web pages for the intranet etc. Basically management wants PHP turned off now because a rogue user could potentially gather and store people's passwords just by having a line like this in their web page. I'm looking for a way to not have $_SERVER pass the PHP_AUTH_PW portion at the very minimum, so I can justify to them to turn PHP back on. I was under the impression that if an external auth method was used that these weren't set, but I guess I was mistaken. Since PHP is being run as a module, Apache basic auth isn't really external. Thanks. -Patrick Richard Harb wrote: Friday, April 30, 2004, 5:37:15 PM, thus was written: Hi, Even with register globals off isn't it possible to have a webpage like this: Not sure what you are asking. You can have a webpage like this. And I guess it even does what it should - print the information. html head /head h2Hello, ?php echo $_SERVER['PHP_AUTH_USER']; ? pI know your password is ?php echo $_SERVER['PHP_AUTH_PW']; ? body /body html Is there a way to make sure apache doesn't set the $SERVER['PHP_AUTH_PW '] global? No, there is no way. The docs state that those Superglobals are always set. But I wouldn't necessarily say that this is insecure: A user does not have access to those superglobals, except he managed to sneak in some code onto your server - but then you'd have a problem somewhere else. register_globals was intended as a shortcut for lazy programming (my biased opinion only!) to automagically have $PHP_AUTH_PW, etc available. That way some user would have been able to set this variable easily, e.g. with a GET request. No way to directly set a superglobal though by conventional means. Richard -- /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Hutchinson [EMAIL PROTECTED] Engineering Web Systems Administrator 408.527.0305 direct Cisco Systems, Inc. 408.527.2313 fax -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals off, still not secure?
Yes. My understanding turning globals off stops using $PHP_AUTH_PW directly. Hi, Even with register globals off isn't it possible to have a webpage like this: html head /head h2Hello, ?php echo $_SERVER['PHP_AUTH_USER']; ? pI know your password is ?php echo $_SERVER['PHP_AUTH_PW']; ? body /body html Is there a way to make sure apache doesn't set the $SERVER['PHP_AUTH_PW '] global? Thanks. -- /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Hutchinson [EMAIL PROTECTED] Engineering Web Systems Administrator 408.527.0305 direct Cisco Systems, Inc. 408.527.2313 fax -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Register globals off, still not secure?
Patrick Hutchinson wrote: Thanks for the response. I basically have an environment analogous to an internal ISP. A lot of corporate users that have the ability to make web pages for the intranet etc. Basically management wants PHP turned off now because a rogue user could potentially gather and store people's passwords just by having a line like this in their web page. I'm looking for a way to not have $_SERVER pass the PHP_AUTH_PW portion at the very minimum, so I can justify to them to turn PHP back on. I was under the impression that if an external auth method was used that these weren't set, but I guess I was mistaken. Since PHP is being run as a module, Apache basic auth isn't really external. Thanks. -Patrick Yikes, talk about throwing the baby out with the bathwater! You may want to look into the auto_prepend_file php.ini setting. If you really want to do it, you can set it up so that the auto-prepended file unsets those values from $_SERVER so that the scripts can't abuse them. auto_prepend_file = /var/www/killPasswords.php ?php unset($_SERVER['PHP_AUTH_PW']); ? Richard Harb wrote: Friday, April 30, 2004, 5:37:15 PM, thus was written: Hi, Even with register globals off isn't it possible to have a webpage like this: Not sure what you are asking. You can have a webpage like this. And I guess it even does what it should - print the information. html head /head h2Hello, ?php echo $_SERVER['PHP_AUTH_USER']; ? pI know your password is ?php echo $_SERVER['PHP_AUTH_PW']; ? body /body html Is there a way to make sure apache doesn't set the $SERVER['PHP_AUTH_PW '] global? No, there is no way. The docs state that those Superglobals are always set. But I wouldn't necessarily say that this is insecure: A user does not have access to those superglobals, except he managed to sneak in some code onto your server - but then you'd have a problem somewhere else. register_globals was intended as a shortcut for lazy programming (my biased opinion only!) to automagically have $PHP_AUTH_PW, etc available. That way some user would have been able to set this variable easily, e.g. with a GET request. No way to directly set a superglobal though by conventional means. Richard -- paperCrane Justin Patrin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php