PHP register-globals is enabled

The register globals allow an attacker to overwrite variables in a script by simply adding parameters to requests. PHP has this feature disabled by default in PHP 4.2.0 and above. But, there are some hosting servers that still support old PHP versions. There are servers that have set register globals as enabled. When register_globals is enabled, PHP will automatically create variables in the global scope and any values can be passed through GET, POST or COOKIE to these variables. This vulnerability along with the use of variables without initialisation may lead to numerous security vulnerabilities. Using register globals makes the application vulnerable to malicious user inputs. So Beagle recommends using super globals to access these variables. The register_globals has been removed from PHP version 5.4.0.

Impact

The attacker uses a .htacess file to hide malware and redirect search engines to their own malicious page.

Mitigation / Precaution

beagle recommends the following fixes:-

  • If the application runs on PHP 4.1.0 or below, update PHP to the latest version.
  • If updating PHP is a no go for the application, then set register_globals as off in php.ini or htaccess.

.htaccess

        php_flag register_globals off

    

php.ini

        register_globals = 'off'

    

Latest Articles