I know that having register_globals=ON is a security risk and we have it OFF.
We want to use the GeekLog content manager and it only works with ON.
Can someone give us some coding tips on how to mitigate any possible security
problems if we turn it on? I know it has to do with a querystring that is
same as a variable name being sent in the URL. How can we prevent that and
still leave globals ON? Anyone have some simple magic?
Thanks,
Al
|
|
0
|
|
|
|
Reply
|
 atakeoutcanton1 (26)
|
9/11/2003 4:13:28 AM |
|
With total disregard for any kind of safety measures "Adams-Blake
Co." <atakeoutcanton@adams.takeme.out.-blake.com> leapt forth and
uttered:
> I know that having register_globals=ON is a security risk and we
> have it OFF.
>
> We want to use the GeekLog content manager and it only works
> with ON.
>
> Can someone give us some coding tips on how to mitigate any
> possible security problems if we turn it on? I know it has to do
> with a querystring that is same as a variable name being sent in
> the URL. How can we prevent that and still leave globals ON?
> Anyone have some simple magic?
>
> Thanks,
>
> Al
>
>
rm ./geeklog -r
Thats the only sure way.
What is geeklog anyway? Have you looked into something else like
Plog? (http://plog.sourceforge.net)
--
There is no signature.....
|
|
|
0
|
|
|
|
Reply
|
 philrob2 (169)
|
9/11/2003 7:23:37 AM
|
|
What php version are you using?
If your php version is >= 4.1.0
Then add:
import_request_variables('GPC');
in the header of the file.
This will imports GET/POST/COOKIE in the global scope.
If you want to import other variables like SERVER
use the function extract().
DO NOT touch your php.ini file!
HTH
"Adams-Blake Co." <atakeoutcanton@adams.takeme.out.-blake.com> wrote in
message news:IDS7b.7577$Yt.7399@newsread4.news.pas.earthlink.net...
> I know that having register_globals=ON is a security risk and we have it
OFF.
>
> We want to use the GeekLog content manager and it only works with ON.
>
> Can someone give us some coding tips on how to mitigate any possible
security
> problems if we turn it on? I know it has to do with a querystring that is
> same as a variable name being sent in the URL. How can we prevent that and
> still leave globals ON? Anyone have some simple magic?
>
> Thanks,
>
> Al
>
|
|
|
0
|
|
|
|
Reply
|
 rbaba99 (34)
|
9/11/2003 11:03:54 AM
|
|
"sam" <rbaba99@caramail.com> schrieb:
> If your php version is >= 4.1.0
> Then add:
>
> import_request_variables('GPC');
>
> in the header of the file.
> This will imports GET/POST/COOKIE in the global scope.
This is nearly the same as to use register_globals = on.
Regards,
Matthias
|
|
|
0
|
|
|
|
Reply
|
 muelleimer2003 (41)
|
9/11/2003 4:48:50 PM
|
|
Search |
Post Question |
Groups |
Stream |
About |
Register
32576 articles. 
5 followers. 
3 Replies
18 Views
levi8325
zimba.tm
ubccis
varois83
yanglike
nobody22
theboss3
saenzcorp
google_groups_web
phrosty