Tobias Toedter <[EMAIL PROTECTED]> tapota : > Hi, > > while getting to know the PHP-Code better and better, I noticed that > obviously > PHP runs with "register_globals = on" for Savane (and, no doubt, Savannah as > well). > > This is a bad thing to do and should be avoided under all circumstances.
Unfortunately, this would require heavy heavy work. I tried some month ago to work in that direction and forgot about it since then, considering the extra work it would implies. That said, in the long run, it would be a nice addition, nobody would say the contrary. register_globals is a bad thing but unfortunately, register_globals were by default to of only since a 4.x version, and many many PHP software that begun before run into that problem. > Moreover, there are some portions of the code where a malicious user > can easily inject SQL code to, say, view the contents of > /etc/passwd. Can you give me in private an example so I can test at home to evaluate the impact. Normally, most of the SQL requests should be escaped. However, it is true that the PHP mysql information does not do it for the developer (unlike perl dbi), so I would not be really surprised. > I haven't looked into all files, but I can imagine that there are other > possibilities as well: Maybe deleting all data from tables, > adding yourself to a project you don't belong to, etc. All because of register globals? Most of the commands like that should be safe most of the time. For instance, to execute the code where a user is added to a projet, should be at first project admin (otherwise your would get an exit()). Maybe you missed the fact that the headers() function got this kind of tests and that function are always (or should always be) execute before any SQL command. > The list is probably not complete. > > How should we procede? First, we should confirm the issue. While it is always possible to find such problems, I would be a bit surprised to find so big bugs that no one ever noticed before -- but it is still possible. Can you send me an exploit in private? -- Mathieu Roy +---------------------------------------------------------------------+ | General Homepage: http://yeupou.coleumes.org/ | | Computing Homepage: http://alberich.coleumes.org/ | | Not a native english speaker: | | http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english | +---------------------------------------------------------------------+
