0

One of my clients is requesting register_globals to be turned on so his site can normally work.

But I disabled custom php.ini files with suphp because of security issues.

I must do this because of some attack which is called Symlink, and when someone has access to some hosting account on my server, he can see list of all sites hosted on my server, and he can see source of php files of site, get into database, and hack the site.

So i disabled some functions in php which are preventing this, i disabled custom php.ini to prevent overwriting my server settings.

My question is, how can I make register globals ON only for one directory, without having to enable custom php.ini files.

Thanks

Luka
  • 375
  • 5
  • 21

1 Answers1

3

Register Globals is no longer part of PHP, and for extremely good reasons. You need to push this back to your client and tell them to sort their site out.

Here is a link with a little more info:

http://php.net/manual/en/security.globals.php

(Note that they were deprecated in 2009)

Dan
  • 15,280
  • 1
  • 35
  • 67
  • I know, but it is hard to explain that to him, he called lawyer, because "I am not providing him what he paid for"... – Luka Jun 24 '13 at 10:34
  • 1
    I never said it would be easy, but that **is** the answer. If you're on PHP 5.4 then you have no choice anyway. – Dan Jun 24 '13 at 10:40
  • 1
    he paid explicitly for register_globals? ;) – Pascal Schmiel Jun 24 '13 at 10:40
  • On our hosting servers we use PHP 5.3.26, it has register_globals But when this PHP version come to end of life, we will update to last version - PHP 5.4 We can not update to PHP 5.4 yet because of many sites having issues after updating. – Luka Jun 24 '13 at 10:48
  • This is the fix, so script can work without register_globals, just put this code above every file of a script: ` foreach ($_POST as $var => $val) $$var = $val; foreach ($_GET as $var => $val) $$var = $val; foreach ($_COOKIE as $var => $val) $$var = $val; ` – Luka Jun 24 '13 at 12:19
  • 1
    @Luka That's the worst bit of PHP I've ever seen and exposes you straight back to huge security vulnerabilities. – Dan Jun 24 '13 at 12:31
  • 1
    @Luka My advice: Dump the client. It's obvious they don't care about security and allowing this behavior exposes you to huge risk. – Nathan C Jun 24 '13 at 12:33
  • Let them call a lawyer. You can't give them what doesn't exist. I'd like to see a judge uphold that. – Travis Jun 24 '13 at 12:33
  • There's nothing wrong with sacking a client when they're being unreasonable. The hassle some people generate is not worth the bit of money they pay. – Rob Moir Jun 24 '13 at 12:35
  • Thank you guys for your support, this piece of PHP fixed the problem as I mentioned... It is good that it is working, for security issues I do not care, it is his site, I told him many times to edit script to work without register_globals, and he didn't listened to me... – Luka Jun 24 '13 at 15:57
  • @Luka I appreciate your dilemma, but it's not just his site at risk. I hope it isn't on shared hosting or on the same IP as others. – Dan Jun 25 '13 at 07:43
  • Why is that security risk for others? – Luka Jun 27 '13 at 14:47
  • @Luka I don't have details of your hosting, but if his site is compromised it's a clear attack vector onto the server. Or, perhaps his site is just used for sending spam - that could get a shared IP quickly blacklisted for example. There are loads of possibilities, some discovered, some now - which is why deliberately opening security vulnerabilities is a **big** decision to take. – Dan Jun 27 '13 at 15:05
  • We monitor all of this things :) – Luka Jun 27 '13 at 15:21
  • It's your risk, dude, not mine. I just wanted to state it for you and for anybody else looking here – Dan Jun 27 '13 at 15:23