Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Register_Globals


lerningkurv

Recommended Posts

Hello all.

 

I've got some thoughts/questions regarding register globals.

How many people are using register globals set on because they cant get get osC to work otherwise?

I dont want to use osC if I cant use it securely, and with all due respect, (truly)those who develop this wonderful piece of free software or spend their time maintaining these forums should make a "read this" concerning the matter. IMHO they are creating security issues by not providing more relevant info/docs.

 

What are the security risks if they are turned on? There must be something significant to it if it is being deprecated in php. I have searched for "register_globals", 1000 returns. Whew! Thats alot of weeding through posts. I'm aware of the register globals patch(es) but I cant seem to find alot of info on using it. I could not find if it should be applied before or after installation of osC. That seems important. Could someone point me to a link, a post, a tome ? :)

Is this an issue that will be resolved with future releases of osC?

Yes, I'm a newbie to linux,apache,php and such.Like many others.

 

Maybe one post by the right person, that would turn up at the top of a search, would solve many questions regarding the overall topic of "Register_globals".

 

I hope I have worded this without offense or sarcasm, for none is intended.

 

Thanks

Link to comment
Share on other sites

http://www.oscommerce.com/community/contri...egister+globals

 

Chuck that contrib into a FRESH install of osc, then off you go. This is by far the easest way to get around the problem, which I believe will be addressed and resolved in the next release of osc..

 

Anyway, prob not a good idea to run with gloabls turned on, but having said that I think its a belt and braces approach - your server has a vulnerability if it is switched on, but the person trying to get in has to have so much knowledge they can prob find another way in anyway. Having said that, if yours is turned off, maybe they'll go and bother someone else first...

Please note - if I have suggested a contrib above, it doesnt mean it will work! Most of the contribs are not ones I've used, but may be useful for your particular problem....

Have you tried a refined search? Chances are your problem has already been dealt with elsewhere on the forums.....

if (stumped == true) {

return(square_one($start_over)

} else {

$random_query = tep_fetch_answer($forum_query)

}

Link to comment
Share on other sites

If the version of php your hosting company is using is too out of date (4.3.9 and below, or 4.3.10 unpatched) then whether Register Globals is On or Off makes no difference as the site will be vulnerable anyway.

 

It's only around 15 months ago that php was on version 4.3.5 - that's how quick things get to be out of date and vulnerable.

 

Vger

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...