SitePoint Sponsor

User Tag List

Page 2 of 2 FirstFirst 12
Results 26 to 29 of 29
  1. #26
    You talkin to me? Anarchos's Avatar
    Join Date
    Oct 2000
    Location
    Austin, TX
    Posts
    1,438
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    fj_111's post shows why: if you type HTTP_REFERER onto the url and have register_globals enabled you can set it.

    This is because HTTP_SERVER_VARS['HTTP_REFERER'] is only set when a referrer exists; that is, when you clicked a link to get to the page. So if you just type in the url, there will be no server HTTP_REFERER, which will allow the HTTP_GET_VARS['HTTP_REFERER'] to actually make it to the script as $HTTP_REFERER.

    Kinda confusing but it's an interesting security anomaly.
    ck :: bringing chris to the masses.

  2. #27
    Node mutilating coot timnz's Avatar
    Join Date
    Feb 2001
    Location
    New Zealand
    Posts
    516
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I understand now, HTTP_REFERER is a bit different from the rest, since it is only available when it is actually set.
    Oh no! the coots are eating my nodes!

  3. #28
    SitePoint Member
    Join Date
    May 2001
    Location
    Hamburg, Germany
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think I am slowly getting what you are saying.

    Just to confirm my php.ini had the following values:
    variables_order = "EGPCS"
    register_globals = On
    track_vars = On

    However:
    I did not just type in the url "test2.php", instead I clicked the link in "test1.html"

    So from what anarchos says HTTP_REFERER exists (is set), therefore HTTP_SERVER_VARS[] should have overwritten whatever a (malicious?) user might have added.
    Is this because I am testing my files on localhost, maybe this prevents HTTP_REFERER to be set in the first place so that HTTP_SERVER_VARS[] doesn't overwrite it?

    Best solution to me seems to set register_globals to "Off" or does that cause any other security problems I don't know of?

    Frank :-)
    That' it.

  4. #29
    You talkin to me? Anarchos's Avatar
    Join Date
    Oct 2000
    Location
    Austin, TX
    Posts
    1,438
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No, it's not because you're running it on localhost, PHP can't tell the difference. And yes, turning register_globals off will help significantly with security.
    ck :: bringing chris to the masses.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •