8th Jul 10
Bart
Consider the following code snippet. Is this code acceptable from a security standpoint?
Assume that the $action and $data variables are designed to be accepted from the user and
register_globals is enabled.
<?php
if(isUserAdmin()) {
$isAdmin = true;
}
$data = validate_and_return_input($data);
switch($action){
case 'add':
addSomething($data);
break;
case 'delete':
if($isAdmin) {
deleteSomething($data);
}
break;
case 'edit':
if($isAdmin) {
editSomething($data);
}
break;
default:
print “Bad Action.”;
}
?>
A. Yes, it is secure. It checks for $isAdmin to be True before executing protected operations
B. No, it is not secure because it doesn’t make sure $action is valid input
C. No, it is not secure because $isAdmin can be hijacked by exploiting register_globals
D. Yes, it is secure because it validates the user-data $data
E. Both A and B
The correct answer is C. This code is, by any means, not secure! In fact, it is the classic security exploit of PHP scripts using the register_globals configuration directive. The problem lies in the $isAdmin variable: although this is clearly a Boolean value, it is only set in the event that the user is an Admin and not set at all if the user is not. Because register_globals is enabled, by simply appending that variable to the end of the URL as a GET parameter, a malicious user could easily impersonate an administrator:
http://www.example.com/action.php?action=delete&data=foo&isAdmin=1
Related posts:
Mishi
July 14th, 2010 at 16:27
Why is it a security risk?
Bart
July 14th, 2010 at 16:35
Hi Mishi,
Good examples are difficult to produce for everyone, because it often requires a unique situation to make the risk clear. However, the most common example is that found in the PHP manual:
<?php if (authenticated_user()){ $authorized = true; } if ($authorized){ include '/highly/sensitive/data.php'; } ?>With register_globals enabled, this page can be requested with ?authorized=1 in the query string to bypass the intended access control. Of course, this particular vulnerability is the fault of the developer, not register_globals, but this indicates the increased risk posed by the directive. Without it, ordinary global variables (such as $authorized in the example) are not affected by data submitted by the client. A best practice is to initialize all variables and to develop with error_reporting set to E_ALL, so that the use of an uninitialized variable won’t be overlooked during development.
free tutorials
July 22nd, 2010 at 21:46
Hey thanks a lot for sharing useful interview questions….. which will be very helpful while attending the interviews…..
glad i found ur site…really a very helpful site…..
by the way check out my collection of php interview questions from here: php interview questions