Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not

phpgroupware-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not

From:	Chris Weiss
Subject:	Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not being submitted)
Date:	Mon, 31 Mar 2003 14:35:12 +0000

>This may be true, but if you don't know what to look for, you can't find the
>answers.  Solutions to know issues need to be documented based on the
>symptoms of the problem or people not in the know wont be able to find them.
>I for one plan to do my part to make this happen.

it's in all the install docs....

>Perhaps it would be worth documenting which files are effected and how people
>could minimize the impact of the potential security issues it may cause.  In
>this case, simply turning register_globals back off after your finished
>modifying user accounts would close the door again.  As long as there isn't
>anything critical elseware that needs it.  If people want to submit details
>to me, I'd be happy to start such a document.

that's the problem, we don't know what files are affected until someone tries it
and goes through trying to figure why things aren't working.  If we knew where 
all
the problems were it would be rather easy to fix.

As far as security issues, in the core of phpgw register_globals isn't required 
and
so there are no security issues.  In the parts that still require it the issues
will depend on how they are using the globals.  The security issues aren't 
because
of register globals, but because using globals makes it easy to create sloppy 
code
that can be "tricked" to doing things you didn't expect.  It's totaly a coding
issue, and is quite possible to code using globals securly.

>
>> 5 The 0.9.16 API supports our GPC variable sanitizer function "get_var"
>> - now it is upto devs to implement it in their apps.
>>

GPC is Get Post Cookies, register_globals makes them directly available in every
script.  Without register globals you have to request the vars out of the proper
HTTP bits.  the new get_var function makes it easy to do this while maintaining 
the
security.

>> 6 phpGW does not run with safe_mode = on which many hosts now use as the
>> default config.  This is something else that will need to be addressed -
>> but unlikely in 0.9.16

I don't think this can ever happen.  phpgw is a HUGE app, and many useful parts
depend on the ability to make TCP connections and create files on the file 
system,
which safe mode disables.  php safe mode is the lazy way to secure a web server.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not being submitted), Chris Weiss <=
- Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not being submitted), Izzy Blacklock, 2003/03/31
- Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not being submitted), Chris Weiss, 2003/03/31
  - Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not being submitted), Izzy Blacklock, 2003/03/31
- Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not being submitted), Chris Weiss, 2003/03/31

Prev by Date: Re: [Phpgroupware-users] Timetrack Error
Next by Date: Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not being submitted)
Previous by thread: [Phpgroupware-users] SECURITY ISSUE: Fatal Error: It appears that you have not createdthe database tables...
Next by thread: Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not being submitted)
Index(es):
- Date
- Thread