REGISTER GLOBALS query

Recently the www host provider I use disabled "register globals" and sent
the following message:-

"To further improve the security of our servers we will be disabling
register_globals across all servers ....... "
"If you are running any scripts that do not have an update available and do
require register_globals you can enable it by adding the following to the
..htaccess file located in your public_html folder: php_value
'register_globals' '1' ".

OK ... so I've specified that and the didly little PHP script I use now
works again.

Two questions though:-

1. What is the security exposure that they were trying to close?

2. How do I stop my small pice of script from using 'register_globals' ?

Although an experienced IT designer, I'm not a PHP programmer (or indeed ASP
or any other web scripting language except some HTML), so I'd just like to
get an understanding of the issues and be informed what I'd need to do to
prevent the script from using 'register_globals'.

FYI, the script is :-
<?PHP
header("Content-type: application/octet-stream");
header("Content-Length: ".filesize($filename));
header("Content-Disposition: attachment; filename=$filename");
$fp = fopen($filename, 'rb');
fpassthru($fp);
fclose($fp);
?>


TIA
Richard

"Richard" <(none)> ÓÏÏÂÝÉÌ/ÓÏÏÂÝÉÌÁ × ÎÏ×ÏÓÔÑÈ ÓÌÅÄÕÀÝÅÅ:
news:452c01e3@newsgate.x-privat.org...
> Recently the www host provider I use disabled "register globals" and sent
> the following message:-
>
> "To further improve the security of our servers we will be disabling
> register_globals across all servers ....... "
> "If you are running any scripts that do not have an update available and
> do require register_globals you can enable it by adding the following to
> the .htaccess file located in your public_html folder: php_value
> 'register_globals' '1' ".
>
> OK ... so I've specified that and the didly little PHP script I use now
> works again.
>
> Two questions though:-
>
> 1. What is the security exposure that they were trying to close?
>
> 2. How do I stop my small pice of script from using 'register_globals' ?
>
> Although an experienced IT designer, I'm not a PHP programmer (or indeed
> ASP or any other web scripting language except some HTML), so I'd just
> like to get an understanding of the issues and be informed what I'd need
> to do to prevent the script from using 'register_globals'.
>
> FYI, the script is :-
> <?PHP
> header("Content-type: application/octet-stream");
> header("Content-Length: ".filesize($filename));
> header("Content-Disposition: attachment; filename=$filename");
> $fp = fopen($filename, 'rb');
> fpassthru($fp);
> fclose($fp);
> ?>
>
>
> TIA
> Richard
>
>
here you go
http://php.net/manual/en/security.globals.php

In article <452c01e3@newsgate.x-privat.org>, says...
> Recently the www host provider I use disabled "register globals" and sent
> the following message:-
>
> "To further improve the security of our servers we will be disabling
> register_globals across all servers ....... "
> "If you are running any scripts that do not have an update available and do
> require register_globals you can enable it by adding the following to the
> .htaccess file located in your public_html folder: php_value
> 'register_globals' '1' ".
>
> OK ... so I've specified that and the didly little PHP script I use now
> works again.
>
> Two questions though:-
>
> 1. What is the security exposure that they were trying to close?
>
> 2. How do I stop my small pice of script from using 'register_globals' ?
>
> Although an experienced IT designer, I'm not a PHP programmer (or indeed ASP
> or any other web scripting language except some HTML), so I'd just like to
> get an understanding of the issues and be informed what I'd need to do to
> prevent the script from using 'register_globals'.
>
> FYI, the script is :-
> <?PHP
> header("Content-type: application/octet-stream");
> header("Content-Length: ".filesize($filename));
> header("Content-Disposition: attachment; filename=$filename");
> $fp = fopen($filename, 'rb');
> fpassthru($fp);
> fclose($fp);
> ?>

I don't think you'd be hit by it, but the security risk is that people
accessing the page could set values for certain variables. If the script
assumes those variables to be initialized to NULL, there may be
unexpected behaviour.

In the case of your script, I'd advise inserting this line just below
the <?PHP

$filename = $_REQUEST['filename'];

Though there isn't really a security risk in having register_globals on
for a script this simple, better safe than sorry.

--
PleegWat
Remove caps to reply