PHP security

From Arnout Engelen

Jump to: navigation, search

[edit] Sessions

Session fixation is a problem.

Example vulnerable app:

https://www.uitwisselplatform.nl/forum/forum.php?thread_id=173&forum_id=73

Explanation of the problem:

http://phpsec.org/projects/guide/4.html

Explanation of the solution:

....?

[edit] register_globals

Register_globals is baaaaad. PHP code should not rely on it, and even deny service if it's on.

Example vulnerable app:

https://www.uitwisselplatform.nl/forum/forum.php?thread_id=172&forum_id=73

Explanation of the problem:

http://www.php.net/register_globals

Solution

turn it off in php.ini
don't turn it on in .htaccess
write your scripts to check it's off:

 if (@ini_get('register_globals'))
 {
   print 'Turn off register_globals. It is a serious security hazard. See <a href="http://www.php.net/register_globals">this page</a> for more info.';
   exit(0);
 }

Retrieved from "http://arnout.engelen.eu/index.php/PHP_security"

Views

Personal tools

Log in / create account

Search

Toolbox