Several important php.ini options
Register Globals
php>=4.2.0, the default value of register_globals option in php.ini is Off by default. When register_globals is set to On, the program can receive various environment variables from the server, including variables submitted by the form. And because PHP does not have to initialize the value of the variable in advance, it leads to great security risks.
Example 1:
//check_admin() is used to check the current user permissions. If admin sets the $is_admin variable to true, then determine whether this variable is true, and then perform some management operations
//ex1.php
if (check_admin())
{
$is_admin = true;
}
if ($is_admin)
{
do_something();
}
?>
This piece of code does not initialize $is_admin to False in advance. If register_globals is On, then we can directly submit http://www.sectop.com/ex1.php?is_admin=true to bypass check_admin(). Verify
Example 2:
//ex2.php
if (isset($_SESSION["username"]))
{
do_something();
}
else
{
echo "You are not logged in yet!";
}
?>
//ex1.php
$dir = $_GET["dir"];
if (isset($dir))
{
echo "
";<p> </p> <p> system("ls -al ".$dir);</p> <p> echo "</p>
";
}
?>
mixed eval(string code_str) //eval injection usually occurs when the attacker can control the input string
//ex2.php
$var = "var";
if (isset($_GET["arg"]))
{
$arg = $_GET["arg"];
eval("$var = $arg;");
echo "$var =".$var;
}
?>