In the landscape of web security, keeping your website safe from potential threats is paramount. One often overlooked yet critical aspect is the configuration of your PHP settings.
Among these, the register_globals directive stands out due to its potential to introduce significant security vulnerabilities.
What is register_globals?
The register_globals directive in PHP was designed to automatically populate global variables with data from user input (e.g., GET, POST, and COOKIE data). While this might have seemed convenient in the early days of PHP development, it poses a severe security risk.
Enabling register_globals can lead to unintended variable overwrites and make your application vulnerable to various types of attacks, such as cross-site scripting (XSS) and SQL injection.
The register globals allow an attacker to overwrite variables in a script by simply adding parameters to requests. PHP has this feature disabled by default in PHP 4.2.0 and above.
But there are some hosting servers that still support old PHP versions. There are servers that have set register globals as enabled.
This vulnerability and the use of variables without initialization may lead to many security vulnerabilities. Using register globals makes the application vulnerable to malicious user inputs.
Beagle Security recommends using super globals to access these variables. The register_globals has been removed from PHP version 5.4.0.
What are the impacts when PHP register globals gets enabled?
1. Legacy code issues
Code breakage: If your application relies on register_globals, disabling it can cause parts of your code to break. Variables that were previously automatically populated will no longer be available, leading to potential functionality issues.
Refactoring required: You may need to refactor your code to explicitly use superglobals for handling user input. This can be time-consuming, especially for large or complex applications.
2. Initial transition effort
Testing and debugging: After disabling register_globals, thorough testing is required to identify and fix any issues that arise. Debugging and modifying legacy code can be a meticulous process.
Development resources: The transition may require additional development resources to ensure that all parts of the application are updated and functioning correctly without register_globals.
How can you prevent PHP’s register globals when enabled?
PHP’s register_globals directive is a security risk, as it allows for the automatic creation of global variables from GET, POST, Cookie, and other input data. This feature has been deprecated since PHP 4.2.0 and removed entirely as of PHP 5.4.0.
However, if you’re working with an older version of PHP, here are some steps you can take to prevent register_globals from being enabled:
1. Update PHP
The best and most secure approach is to update your PHP version to at least PHP 5.4.0 or later, where register_globals is no longer available.
2. Modify php.ini
If updating PHP is not an option, you can disable register_globals in your php.ini configuration file.
3. Use .htaccess (if using Apache)
For environments where you do not have access to php.ini, you can disable register_globals using a .htaccess file
4. Code-level protection
Even with register_globals disabled, it’s good practice to write secure code by initializing your variables properly and validating/sanitizing all user inputs.
// Unset global variables
foreach ($_REQUEST as $key => $value) {
unset($GLOBALS[$key]);
}
5. Server configuration
Ensure your server is configured securely by:
Using modern, maintained server software.
Applying all security patches and updates promptly.
Following best security practices for web server configuration.
6. Environment configuration
Check the environment configuration of your web host or server to ensure register_globals cannot be turned on inadvertently:
Create a phpinfo.php file with
<?php phpinfo(); ?>
to check the current configuration.
Remove or disable this file after confirming settings.
