Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

register globals


Warr

Recommended Posts

On being asked to evaluate and help configure osCommerce for my fathers web site the first thing I ran into was the fatal error requiring register globals. I did enough homework to find the register globals contribution and this will work on my test server, however the public website will run on a server with register globals turned on. This immediately raised my little paranoia red flag.

 

Can anyone put me at ease about the security implications of running this app with register globals on?

 

Has anyone ever encountered a variable injection security exploit?

Have the programmers followed best practices in avoiding this exploit?

What are the worst case scenarios of a variable injection exploit? Fraudulent transactions? Violating customer privacy? Worse?

 

Thanks

Link to comment
Share on other sites

In a perfect world, register_globals should always be off.

 

Code written to work with register_globals off is inherently safer than code written assuming register_globals to be on.

 

That being said, I run a production site on which register_globals is turned on and have never experienced, as far as I know, any problems because of it.

Do, or do not. There is no try.

 

Order Editor 5.0.6 "Ultra Violet" is now available!

For support or to post comments, suggestions, etc, please visit the Order Editor support thread.

Link to comment
Share on other sites

...

Can anyone put me at ease about the security implications of running this app with register globals on?

...

Many people will tell you that osc is well-enough written to not be vulnerable to exploit via any register globals issues.

 

However, even if this were true (and it may or may not be - I don't know), there are a couple of other issues to consider:

 

1/ Very few people run OSC "out of the box". Most (all?) apply one or (more usually) a multitude of patches and fixes from the contributions that are posted up on here. Question - How many of these contributions (and which ones) are safe from attack via register globals?

 

No, I don't know the answer to this either!

 

Unfortunately, many contributions are STILL not written with "register globals = off" in mind. This is inexcusable and slack, especially as the security issues surrounding register globals have been known for many years and many contributions are updated on a regular-enough basis to have address this long long ago. Like so much software these days, many people are more interested in adding whizzy "cool" features than actually making the thing work reliably and securely.

 

2/ Even if you could show that osc and all the patches etc that you are using ARE safe, having register globals set globally on the server means that all other applications running on the server will have register globals enabled for them. It is exactly this scenario that allowed many osc sites to be hacked into a couple of years ago; the vulnerability was in a separate PHP application (sorry - can't remember the name of it now). The silly thing was that this other application did not need register globals to be enabled, but because osc did, it created a security hole in the other application! By the way, I think you can enabled/disable register globals on a per-application basis, but you may not necessarily have enough control over the server to do this, and it's not ideal.

 

Rich.

Link to comment
Share on other sites

Unfortunately, many contributions are STILL not written with "register globals = off" in mind. This is inexcusable and slack, especially as the security issues surrounding register globals have been known for many years and many contributions are updated on a regular-enough basis to have address this long long ago. Like so much software these days, many people are more interested in adding whizzy "cool" features than actually making the thing work reliably and securely.
This is true. I've found the best contributions are the ones that are coded to work with register_globals off and have wicked cool features. :)

Do, or do not. There is no try.

 

Order Editor 5.0.6 "Ultra Violet" is now available!

For support or to post comments, suggestions, etc, please visit the Order Editor support thread.

Link to comment
Share on other sites

This is true. I've found the best contributions are the ones that are coded to work with register_globals off and have wicked cool features. :)

Oh I like whizzy features. I just wish people would make sure the basic stuff works first!

 

This is why we have mobile phones that take photos, videos, play MP3s, tell you where you are in the world, give you the time in any part of the world, etc etc etc... ...but are actually pretty crap at being a telephone!

 

Rich.

Link to comment
Share on other sites

In all the years that 2.2MS2 has been out, I've never once heard about a variable injection attack. There are instructions available to modify OSC to work with register_globals = Off.

 

BTW: djmonkey, are you still using the PayPal WPP module? I finally fixed the Address Override feature. Finally.

Please use the forums for support! I am happy to help you here, but I am unable to offer free technical support over instant messenger or e-mail.

Link to comment
Share on other sites

Thanks for the feedback.

 

I think I will bite the bullet and run osc as is. I would like to encourage all osc developers (not to mention PHP developers and web hosts in general) to develop a register globals off by default attitude in their work.

Link to comment
Share on other sites

BTW: djmonkey, are you still using the PayPal WPP module? I finally fixed the Address Override feature. Finally.
My ship has finally come in....

Do, or do not. There is no try.

 

Order Editor 5.0.6 "Ultra Violet" is now available!

For support or to post comments, suggestions, etc, please visit the Order Editor support thread.

Link to comment
Share on other sites

I would like to encourage all osc developers (not to mention PHP developers and web hosts in general) to develop a register globals off by default attitude in their work.
A novel concept. 3.0 is designed to work with register_globals off.

Do, or do not. There is no try.

 

Order Editor 5.0.6 "Ultra Violet" is now available!

For support or to post comments, suggestions, etc, please visit the Order Editor support thread.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...