3 comments
8th Jul 10
Bart
Consider the following code snippet. Is this code acceptable from a security standpoint?
Assume that the $action and $data variables are designed to be accepted from the user and
register_globals is enabled.
<?php
if(isUserAdmin()) {
$isAdmin = true;
}
$data = validate_and_return_input($data);
switch($action){
case 'add':
addSomething($data);
break;
case 'delete':
if($isAdmin) {
deleteSomething($data);
}
break;
case 'edit':
if($isAdmin) {
editSomething($data);
}
break;
default:
print “Bad Action.”;
}
?>
A. Yes, it is secure. It checks for $isAdmin to be True before executing protected operations
B. No, it is not secure because it doesn’t make sure $action is valid input
C. No, it is not secure because $isAdmin can be hijacked by exploiting register_globals
D. Yes, it is secure because it validates the user-data $data
E. Both A and B
The correct answer is C. This code is, by any means, not secure! In fact, it is the classic security exploit of PHP scripts using the register_globals configuration directive. The problem lies in the $isAdmin variable: although this is clearly a Boolean value, it is only set in the event that the user is an Admin and not set at all if the user is not. Because register_globals is enabled, by simply appending that variable to the end of the URL as a GET parameter, a malicious user could easily impersonate an administrator:
http://www.example.com/action.php?action=delete&data=foo&isAdmin=1
