How unsafe is register_globals?
This is a discussion on How unsafe is register_globals? within the PHP General forums, part of the PHP Programming Forums category; I've got this new server running with folks from all over uploading PHP code. I don't know all ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-17-2003
|
|||
|
|||
How unsafe is register_globals?
I've got this new server running with folks from all over uploading PHP code. I don't know all the folks, so I've turned on safe_mode, set an open_basedir to each user's documentroot, and left register_globals at its default. And now I'm getting scads of requests to turn on register_globals from folks who want to run php-nuke and some other established packages that rely on it. I realize that register_globals isn't itself unsafe ... but do the potential insecurities put my server at risk, or only customer data? By turning register_globals on with an otherwise safe open_basedir, are there things that could be revealed about the server that would otherwise be hidden? My instinct says to leave register_globals OFF, and if folks want to run software that requires it, they should lobby the software maintainers to upgrade the software. (But how likely is php-nuke to get fixed?) Thoughts? -- Paul Chvostek <paul@it.ca> Operations / Abuse / Whatever it.canada, hosting and development http://www.it.ca/ 
|
|
07-17-2003
|
|||
|
|||
|
Re: [PHP] How unsafe is register_globals?
Paul Chvostek <paul+php@it.ca> wrote:
> > I've got this new server running with folks from all over uploading PHP > code. I don't know all the folks, so I've turned on safe_mode, set an > open_basedir to each user's documentroot, and left register_globals at > its default. > > And now I'm getting scads of requests to turn on register_globals from > folks who want to run php-nuke and some other established packages that > rely on it. You could trick em and set error_reporting = E_ALL & ~E_WARNING, and just say they need to get the software fixed :) > > I realize that register_globals isn't itself unsafe ... but do the > potential insecurities put my server at risk, or only customer data? no server risks as far as I know, just security flaws in the applications. > > By turning register_globals on with an otherwise safe open_basedir, > are there things that could be revealed about the server that would > otherwise be hidden? > > My instinct says to leave register_globals OFF, and if folks want to run > software that requires it, they should lobby the software maintainers to > upgrade the software. (But how likely is php-nuke to get fixed?) I would tend to agree with you. Some influence on it depends on wether php is going to remove the ability to turn register_globals on and off through the config. As a developer myself, I'd rather see safer programming techniques used. > Thoughts? > > -- > Paul Chvostek <paul@it.ca> > Operations / Abuse / Whatever > it.canada, hosting and development http://www.it.ca/ Not much but I hope it gave ya my view point on it anyway Curt --
|
Linear Mode
