Re: [Phpgroupware-users] Register Globals (was ldapmodify.php; data not being submitted)

[Izzy Blacklock]

On Monday 31 Mar 2003 7:35 am, Chris Weiss wrote:
> >This may be true, but if you don't know what to look for, you can't find
> > the answers.  Solutions to know issues need to be documented based on the
> > symptoms of the problem or people not in the know wont be able to find
> > them. I for one plan to do my part to make this happen.
>
> it's in all the install docs....

I beg to differ.  The only document I've found regarding php.ini is the one 
Dave just pointed out.  It isn't anywhere on the web site that I found.  
AxisGW was the only website I found with the details when I needed them.  
Thanks to their open wiki, they are now complete again.

> >Perhaps it would be worth documenting which files are effected and how
> > people could minimize the impact of the potential security issues it may
> > cause.  In this case, simply turning register_globals back off after your
> > finished modifying user accounts would close the door again.  As long as
> > there isn't anything critical elseware that needs it.  If people want to
> > submit details to me, I'd be happy to start such a document.
>
> that's the problem, we don't know what files are affected until someone
> tries it and goes through trying to figure why things aren't working.  If
> we knew where all the problems were it would be rather easy to fix.

Well, we now know that ldapmodify.php is affected.  It sounds like a good 
enough place to start to me.  I've already documented the problem in my ldap 
howto and submitted a bug report.  As people find other files affected, the 
same should be done.  If there's an open wiki page someplace that people can 
add to as they are found, the problem will be well documented!  I'd be more 
then happy to start such a page over at AxisGW if necessary.

> As far as security issues, in the core of phpgw register_globals isn't
> required and so there are no security issues.  In the parts that still
> require it the issues will depend on how they are using the globals.  The
> security issues aren't because of register globals, but because using
> globals makes it easy to create sloppy code that can be "tricked" to doing
> things you didn't expect.  It's totally a coding issue, and is quite
> possible to code using globals securly.

I wont disagree.  But if the default php.ini file sets it to off, then people 
need to know that they have to set it to on.  Further, they need to know that 
this is what the problem is when they experience the symptoms of the problem.  
Think about it from the point of view of someone trying to install phpGW for 
the first time.  How are they going to know what to look for?

...Izzy