Register_Globals Override

October 29, 2010
Let's start by saying that there are no scripts on this site that require this function, and I'm not making this function to allow the continuation of development around this issue. You really should read the links below here before you use this function. This is a SERIOUS security threat to improperly developed (read: Most) PHP applications.
Download Original
  1. <?PHP
  2. /*This function emulates the PHP.INI setting being set to ON, which should only be used on a server with register globals OFF, to assist
  3. in revising legacy scripts developed on servers designed for register_globals. The security vulnerabilites of having this feature on are
  4. well known, so use this function ONLY while updating these scripts, preferably on a development server.
  5.  
  6. PHP's Handbook on Security with Register Globals
  7.     http://php.net/manual/en/security.globals.php
  8.     
  9. Use the output of this script at the beginning of your programs to negate register_globals holes, however it will not pull in the vars.
  10.     http://www.robert-lerner.com/phpvarlist.php
  11.     
  12. License:
  13.     Copyright ©2010 Robert Lerner, All Rights Reserved http://www.robert-lerner.com
  14.     Feel free to incorporate this script into any script, personal, free, open-source, or commercial. Please leave this license statement
  15.     intact.*/
  16. $variables_order = strtoupper(trim(ini_get("variables_order")));
  17. for ($i=0;$i<=strlen($variables_order)-1;$i++) {
  18.     $array_to_extract = substr($variables_order,$i,1);
  19.     if ($array_to_extract=="E") { extract($_ENV);    }
  20.     if ($array_to_extract=="G") { extract($_GET);    }
  21.     if ($array_to_extract=="P") { extract($_POST);   }
  22.     if ($array_to_extract=="C") { extract($_COOKIE); }
  23.     if ($array_to_extract=="S") { extract($_SERVER); } 
  24. 	}
This script is best used as an include file before anything in your scripts. Failing to include this first will allow this script, which does NO FILTERING to override the variables you may have already sanitized. Meaning you're going to be dealing with XSS, XSRF, and SQL Injections. Bad news indeed.

So wait, you're writing code to open holes?

I sure am. I know, sounds insane, but unless you read those links above, you won't understand why this would be useful. Some of you who really read them may have noticed that PHP.NET provides it's own version of this function. So why use mine?

Inside of PHP.INI, the file that "configures" PHP, a directive exists titled variables_order. This variable controls the order that the variables are registered, for example, GPCES would import all of the variables in these arrays: $_GET, $_POST, $_COOKIE, $_ENV and $_SERVER, and in that order. So if you used the following code:

<form action='page.php?id=5' method='post'>
    <input type='text' name='id' value='4' />
</form>

The PHP file, if register_globals is on or this script is used, would cause $id to equal 4. The order the arrays are imported causes $_POST variables of the same name to overwrite $_GET variables, unless of course, inside your script, you include the code:

<?PHP
    $id = $_GET['id'];
?>

This would re-read the $_GET array and override the register_globals / this script's output.

PHP.NET's example doesn't respect this variable order, nor does it count for differing lengths. For example, PHP 5.3.3's PHP.INI file has four array order element listed, older ones may have more, and custom ones may have less. This works with all of them.

Happy Fixing!
Name:

No comments yet! Be the first!