Register Globals on by default - Any risks?

[ken.yong]

Hi, my hosting company has Register Globals on by default. Obviously then I won't have warnings on Register Globals being off.

 

Quick question:

 

I have installed the Register Globals patch contribution irregardless, since I realize with Register Globals on it means security risks. Because Register Globals is on by default, would applying the patch eliminate the security risks imposed by Register Globals being on?

 

Thanks!

[Guest]

No it will not.

 

You must disable register globals in php.ini in order to gain the security benefits. All the patch does is make osc WORK with register globals disabled.

 

You have to bear in mind also that because the register globals setting is (usually) global to the whole web server, even if you are sure that your application is not vulnerable to such an attack (and I know that some people are convinced osc is not at risk... but I don't believe them), having register globals enabled will render any other applications on the same server vulnerable.

 

Rich.

[ken.yong]

Thanks a lot! What if I turn it off in .htaccess on the catalog folder? Does it help at all?

[♥Vger]

You can try turning off Register Globals via .htaccess, but I'd then advise you to go to your osC admin panel --> Tools --> Server Info and it's my guess that the entry for Register Globals will say 'on' - especially if PHP is being run in High Security Mode as a jailed cgi.

 

Vger

[ken.yong]

Vger,

 

Yes, osC admin panel --> Tools --> Server Info says ON for Register Globals (both Local and Master)!!!

 

What can I do now? Is there a way to minimize the security risks? I cannot edit php.ini since it's a shared server.

 

Ken

[♥Vger]

Even on a shared server you may have access to a local php.ini file. Either ask your hosting company or go through the folders below the root of your domain (if you have access to them) and look for a local php.ini file.

 

Vger