Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

register_globals On? Security?


zamzmith

Recommended Posts

With all the security warnings about register_globals On why doesn't anyone seem concerned about the osCommerce package requiring register_globals to be On?

 

Has there been any discussion of a version that will run with "register_globals Off"?

Link to comment
Share on other sites

We plan of removing the register globals requirement before 2.2 is released as final.

Mark Evans

osCommerce Monkey & Lead Guitarist for "Sparky + the Monkeys" (Album on sale in all good record shops)

 

---------------------------------------

Software is like sex: It's better when it's free. (Linus Torvalds)

Link to comment
Share on other sites

With all the security warnings about register_globals On why doesn't anyone seem concerned about the osCommerce package requiring register_globals to be On?

 

Has there been any discussion of a version that will run with "register_globals Off"?

register_globals being ON is not a security hole. All it does is allow users to write bad code. Even with register_globals being OFF, users can still write bad code. There are just more ways to write bad code with register_globals being on.

 

Since the developers of osCommerce seem to be a little farther advanced than "newb" status in PHP, I doubt that they (very often) use variables that are undeclaired, or use variable names/values from the URL without checking them first. As far as I know, those are the major reasons why people say "register_globals" on is bad. If you know how to program well, then you can safely leave it on. If you don't...learn quickly.

Link to comment
Share on other sites

Since the developers of osCommerce seem to be a little farther advanced than "newb" status in PHP

 

Thanks ;)

 

Yes we are aware of the problems relating to register globals and rest assured that we are doing everything possible to make osCommerce as secure as possible :)

Mark Evans

osCommerce Monkey & Lead Guitarist for "Sparky + the Monkeys" (Album on sale in all good record shops)

 

---------------------------------------

Software is like sex: It's better when it's free. (Linus Torvalds)

Link to comment
Share on other sites

All fine and dandy but how about some alternatives...

eg.

 

.htaccess

php_flag register_globals on

 

This works for backwards compatibilty with all of my other websites but

not oscommerce.....

 

I can't afford to change my php.ini for all of my sites because 1 requires it. It has been 4-5 months at least now since the php upgrade....

Link to comment
Share on other sites

I can't afford to change my php.ini for all of my sites because 1 requires it.  It has been 4-5 months at least now since the php upgrade....

 

You can do it in the .htaccess file as you suggested so that is probrably the best way forward for you.

 

The reason the problem is still there is because we are trying to maintain PHP3 compatability for 2.2.

 

Once we get past 2.2 then PHP3 compatability will be dropped and things get much easier from then on :)

Mark Evans

osCommerce Monkey & Lead Guitarist for "Sparky + the Monkeys" (Album on sale in all good record shops)

 

---------------------------------------

Software is like sex: It's better when it's free. (Linus Torvalds)

Link to comment
Share on other sites

  • 3 weeks later...
  • 1 month later...
  • 4 weeks later...
The reason the problem is still there is because we are trying to maintain PHP3 compatability for 2.2.

 

Once we get past 2.2 then PHP3 compatability will be dropped and things get much easier from then on :)

 

For those of us not running in a PHP3 environment and willing to do some hacking, can you give a general idea what parts of the code rely upon Register Globals = on?

 

Thanks,

The optimist proclaims that we live in the best of all possible worlds! The pessimist fears this is true.

Link to comment
Share on other sites

  • 1 month later...
The reason the problem is still there is because we are trying to maintain PHP3 compatability for 2.2.

 

Once we get past 2.2 then PHP3 compatability will be dropped and things get much easier from then on :)

 

For those of us not running in a PHP3 environment and willing to do some hacking, can you give a general idea what parts of the code rely upon Register Globals = on?

 

Thanks,

 

Oops, my post ended in page 2. Anyway, this is the previous post I was referring to.

Link to comment
Share on other sites

Any variable that gets passed in from a form or in a url needs Register_Globals to be ON without the use of $HTTP_POST_VARS or $HTTP_GET_VARS, respectively. It will be a HUGE pain in the butt to find out which variables these are.

 

-j

Link to comment
Share on other sites

For what it's worth, seems as though the osC programmers have been pretty good about using the $HTTP_POST_VARS or $HTTP_GET_VARS arrays. There are a bunch of globals declared in the functions however.

 

Fully agree about the PITB tracking them down. If anyone has any magical ideas to expedite this process... I would like to shut Register_Globals off so I can sleep better at night ;-)

The optimist proclaims that we live in the best of all possible worlds! The pessimist fears this is true.

Link to comment
Share on other sites

Get a new host :wink: ? If you can, I suggest using the banner in the upper right corner - They work great by me.

The optimist proclaims that we live in the best of all possible worlds! The pessimist fears this is true.

Link to comment
Share on other sites

  • 4 weeks later...
The the .htaccess file hack work if you are on Win 2K?

.htaccess does not work with IIS, but if you have apache on win2k, it should work.

 

However, you could try commenting out the "register_globals" check in 'application_top.php':

/*

if (function_exists('ini_get')) {

   ini_get('register_globals') or exit('FATAL ERROR: register_globals is disabled in php.ini, please enable it!');

 }

*/

and replacing it with the following:

$_GET =& $HTTP_GET_VARS;

$_POST =& $HTTP_POST_VARS;

$_ENV =& $HTTP_ENV_VARS;

$_SERVER =& $HTTP_SERVER_VARS;

$_FILES =& $HTTP_POST_FILES;

$_COOKIE =& $HTTP_COOKIE_VARS;



foreach($_GET as $gvar=>$gval){

$$gvar=$gval;

}

foreach($_POST as $pvar=>$pval){

$$pvar=$pval;

}

foreach($_COOKIE as $cvar=>$cval){

$$cvar=$cval;

}

foreach($_SERVER as $svar=>$sval){

$$svar=$sval;

}

foreach($_FILES as $fvar=>$fval){

$$fvar=$fval;

}

foreach($_ENV as $evar=>$eval){

$$evar=$eval;

}

foreach($_REQUEST as $rvar=>$rval){

$$rvar=$rval;

}

IN THEORY that should accomplish the same thing as register globals being on. the first part just makes the old globals and new globals reference the same values. and all the "foreach" 's do is assign all superglobal values to corresponding local values.

 

note, there are also the $_SESSION and $HTTP_SESSION_VARS arrays, but they are trickier. for one thing, you can't deal with them until after this line in application_top.php:

tep_session_start();

for another thing, osc *sort of* uses it's own session management, so doing the above trick with the $_SESSION variables may or may not work.

 

none of this has been tested, but you can give it a shot. email me if you have questions or want help.

 
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...