My session values are being edited without $_SESSION?

[Garethp]

Ok, so this is a weird error that bugs me, and I want to know why this happens. Basically the title says it all. When I set $ID, it seems to edit $_SESSION['ID']. Here's a code I did to test

 

echo $ID;
session_start();
echo $_SESSION['ID'];
$ID = 3;
echo $_SESSION['ID'];

 

And my output is

1

2

3

 

I don't know why it was 1, but 2 is the value I had it set to before (during login)

[PFMaBiSmAd]

You are getting burnt (and possibly hacked) by php's biggest blunder, register_globals.

 

Assuming you don't have any existing scripts that rely on register_globals to work, you should turn register_globals off ASAP. You can turn them off in the master php.ini (assuming you have access to it), in a local php.ini (assuming php is running as a CGI application), or in a .htaccess file (when php is running as an Apache Module.)

 

Frankly, we are surprised to still see people with register_globals problems, because the setting was turned off by default over 8 years ago, because it allows a hacker to set your session variables to any value they want and a lot of web sites have been taken over.

[Garethp]

Thanks, I'll email my host and ask them to turn it off

 

Just out of security curiosity, how could you be hacked with it? I mean, how does it allow users to change those variables?

[Cagecrawler]

Taken from the PHP Manual:

<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
    $authorized = true;
}

// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
    include "/highly/sensitive/data.php";
}
?>

[PFMaBiSmAd]

In addition to that example, I could visit one of your pages that tests a $_SESSION variable to determine if someone is logged in or is an administrator and can set it like so -

 

http://your_domain.com/secure_page.php?any_session_varaible_name = the value I want

 

Your secure_page.php -

<?php
session_start();
if(!isset($_SESSION['any_session_variable_name'])){
    // not logged in
    header('locaiton: not_logged_in.php');
    exit;
}
// I am here because I was able to set your session variables to any value I wanted by simply putting a matching GET parameter on the end of the URL

// the rest of your page that you thought was secured by the above code
?>

 

Another example is that some major scripts set a config variable that holds the path to files to be included, then includes a loader file that starts including files (such as templates, classes, or components of a cms...) based on that variable. All I need to do is request that loader file with a GET parameter that tells it to include the second level of files from my server and I just got my php code to be executed on your server (assuming that the php setting that allows this is on in addition to the register_globals setting.)