register_globals in php4

To: debian-security@lists.debian.org
Subject: register_globals in php4
From: Patrick Hsieh <pahud@pahud.net>
Date: Fri, 10 May 2002 00:09:22 +0800
Message-id: <[🔎] 20020510000423.B03F.PAHUD@pahud.net>

Hello list,

php4.1 recommends to set register_globals=off in php.ini to make php
more strict.  My question is, if I turn off register_globals, what will
happen if any malicious user just try to modify the variable values in
the url? Say,

http://www.domain.com/xxx.php?id=3&sex=female

Does it work if user just change the value in the URL directly and send
the url directly to web server?

How can we avoid the malicious attack by directly http GET/POST with
modified parameter values to make possible system error or compromise?


-- 
Patrick Hsieh <pahud@pahud.net>
GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: register_globals in php4
  - From: "Christian G. Warden" <cwarden@xerus.org>

Prev by Date: Re: Fixing file system privileges
Next by Date: Re: register_globals in php4
Previous by thread: Re: Fixing file system privileges
Next by thread: Re: register_globals in php4
Index(es):
- Date
- Thread