Registered Globals

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
Roundy
Joomla! Apprentice
Joomla! Apprentice
Posts: 31
Joined: Thu Aug 18, 2005 5:32 pm

Registered Globals

Post by Roundy » Thu Sep 01, 2005 2:27 pm

Hello,
My host does not allow me to use "php_flag register_globals off " in my .htaccess file, and supposedly this is a major security issue. Could someone please let me know what the deal is with registered globals and if I need to worry about it? Also what other options do I have being that I can not use "php_flag register_globals off " ?

Thanks

User avatar
jdg
Joomla! Apprentice
Joomla! Apprentice
Posts: 38
Joined: Mon Aug 29, 2005 7:49 pm
Contact:

Re: Registered Globals

Post by jdg » Thu Sep 01, 2005 9:35 pm

Does your host have the phpSuExec enabled on the server?
That's usually the reason why you can't use php flags in your htaccess file.
In that case you can use php directives in a php.ini file  in the proper directory.

It would take too long to reproduce the whole lot here, so have a look at my hosting support site here:
http://www.jigsnet.com/index.php?option ... Itemid=181
There you will find more info on phpSuExec and how to deal with it.
Jan de Graaff
Simpleboard Lead Developer and TSMF Founder.

User avatar
Roundy
Joomla! Apprentice
Joomla! Apprentice
Posts: 31
Joined: Thu Aug 18, 2005 5:32 pm

Re: Registered Globals

Post by Roundy » Thu Sep 01, 2005 9:50 pm

Thanks for the link jdg,
I looked over the info on that link and hopefully that may be the answer I was looking for. I am going to give the php.ini method a try!


Thanks
Roundy

User avatar
Roundy
Joomla! Apprentice
Joomla! Apprentice
Posts: 31
Joined: Thu Aug 18, 2005 5:32 pm

Re: Registered Globals

Post by Roundy » Fri Sep 02, 2005 2:41 pm

After following all the instruction and trouble shooting guides, when using mambo security check I am still showing registered globals are on. So I am not sure if it is a bug in mambo security check or using the php.ini method just won't work on my host server.  Is there another way to check wether they are off or on?

Thanks
Roundy

User avatar
joomlahut
Joomla! Intern
Joomla! Intern
Posts: 85
Joined: Wed Aug 17, 2005 10:11 pm
Contact:

Re: Registered Globals

Post by joomlahut » Fri Sep 02, 2005 5:03 pm

jdg wrote: It would take too long to reproduce the whole lot here, so have a look at my hosting support site here:
http://www.jigsnet.com/index.php?option ... Itemid=181
There you will find more info on phpSuExec and how to deal with it.
Nice article!
Michael Morris - BuyHTTP Internet Services
www.demoplaza.com : Flash Tutorials For Joomla
www.buyhttp.com : Joomla Hosting Specialists
Free Joomla Professional Installation + Free Joomla Template

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2316
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

Re: Registered Globals

Post by masterchief » Mon Sep 12, 2005 10:16 am

I will (if I don't forget) include an alternative version of global.php to emulate register_globals=off.  While this is not a magic bullet it does prevent does prevent some forms of attack that leverage mistakes in the code or just sloppy programming practices.

If you want to make your site a touch more secure you could swap to the alternative file.  Of course, this would mean some components will break which is why it's not default in 1.0 (but will be in 1.1).
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

User avatar
SiteBuilder
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Fri Aug 19, 2005 6:25 pm
Location: Bend, Oregon

Re: Registered Globals

Post by SiteBuilder » Tue Sep 13, 2005 3:09 pm

Roundy wrote: Hello,
My host does not allow me to use "php_flag register_globals off " in my .htaccess file, and supposedly this is a major security issue. Could someone please let me know what the deal is with registered globals and if I need to worry about it? Also what other options do I have being that I can not use "php_flag register_globals off " ?

Thanks
just curious, what is the major security issue with Register Globals ON?
And is there a thread we should subscribe to so that we are aware of issues?

thanks
Scott Barnes

User avatar
jdg
Joomla! Apprentice
Joomla! Apprentice
Posts: 38
Joined: Mon Aug 29, 2005 7:49 pm
Contact:

Re: Registered Globals

Post by jdg » Tue Sep 13, 2005 8:51 pm

Registering Globals is not a Joomla! security issue but a potential (!!) PHP security issue. "Potential" because properly written code shouldn't have a security issue at all with globals on. However, there's plenty of code available from not so good coders (who write fine code otherwise, no FUD about that) which overlook the security issue posed with globals on.

Now, what security issue is there?
The best answer can be found on the PHP site itself: http://uk2.php.net/register_globals
No need to repeat it here; too long a story ;)

Most hosters turn registering globals to 'off' to protect their customers. That's why..
Jan de Graaff
Simpleboard Lead Developer and TSMF Founder.

User avatar
SiteBuilder
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Fri Aug 19, 2005 6:25 pm
Location: Bend, Oregon

Re: Registered Globals

Post by SiteBuilder » Tue Sep 13, 2005 9:06 pm

jdg wrote: Registering Globals is not a Joomla! security issue but a potential (!!) PHP security issue. "Potential" because properly written code shouldn't have a security issue at all with globals on. However, there's plenty of code available from not so good coders (who write fine code otherwise, no FUD about that) which overlook the security issue posed with globals on.

Now, what security issue is there?
The best answer can be found on the PHP site itself: http://uk2.php.net/register_globals
No need to repeat it here; too long a story ;)

Most hosters turn registering globals to 'off' to protect their customers. That's why..
I thought is might be a mambo, I mean Joomla issue. Good answer. We use phpsuexec and load a php.ini file to turn register globals off.
Scott Barnes


Locked

Return to “Security - 1.0.x”