03 August, 2006

register_globals disabled

Due to recent vulnerabilities for varies php web applications making full use of register_globals enabled, we have disabled register_globals on all our Unix/Linux servers on 20 July 2006.

Part of the past exploits found making use of register_globals or as one of the causes are as below:

PmWiki Unregister "register_globals" Layer Bypass -
http://secunia.com/advisories/18634/
phpMyAdmin register_globals Emulation "import_blacklist" Manipulation -
http://secunia.com/advisories/17925/
Mambo "register_globals" Emulation Layer Overwrite Vulnerability -
http://secunia.com/advisories/17622/
phpSysInfo "register_globals" Emulation Layer Overwrite Vulnerability -
http://secunia.com/advisories/17441/
Mambo / Joomla perForms "mosConfig_absolute_path" File Inclusion -
http://secunia.com/advisories/21044/
CzarNews "tpath" File Inclusion Vulnerability -
http://secunia.com/advisories/21038/
Phorum Cross-Site Scripting and Local File Inclusion -
http://secunia.com/advisories/21043/
Mambo SiteMap Component File Inclusion Vulnerability -
http://secunia.com/advisories/21055/
Joomla com_hashcash Component File Inclusion Vulnerability -
http://secunia.com/advisories/21053/
Pivot Multiple Vulnerabilities -
http://secunia.com/advisories/20962/
Mambo PccookBook Component File Inclusion Vulnerability -
http://secunia.com/advisories/21015/
Mambo SimpleBoard Component "sbp" File Inclusion Vulnerability -
http://secunia.com/advisories/20981/
Mambo Galleria Module "mosConfig_absolute_path" File Inclusion -
http://secunia.com/advisories/20949/
phpRaid SQL Injection and File Inclusion Vulnerabilities -
http://secunia.com/advisories/20200/
phpRaid SQL Injection and File Inclusion Vulnerabilities -
http://secunia.com/advisories/20865/
Pearl Products File Inclusion Vulnerabilities -
http://secunia.com/advisories/20819/
Mambo MOD_CBSMS Module File Inclusion Vulnerability -
http://secunia.com/advisories/20823/
Qdig Cross-Site Scripting Vulnerabilities -
http://secunia.com/advisories/20808/
phpBB THoRCMS Add-On "phpbb_root_path" File Inclusion -
http://secunia.com/advisories/20815/
Bee-hive Lite Multiple File Inclusion Vulnerabilities -
http://secunia.com/advisories/20814/
BandSite CMS "root_path" File Inclusion Vulnerabilities -
http://secunia.com/advisories/20768/

More such can be found at
http://secunia.com/search/?search=register_globals

Security is always our first priority.

By disabling register_globals, only those php web applications that were written with no code security in mind therefore depend on it will be affected.

There is a work around to have it enabled per site/directory basis by uploading the .htaccess file with the following content to the directory/site:

----------------------------------------
php_value register_globals 1
----------------------------------------

However please note enabling register_globals would open security hole for your application.

No matter where/how you get your script/application, written by your programmer, installed from cpanel, downloaded or bought from somewhere... please make sure your application is up to date and secure. Upgrade your application whenever there's new release.

We will not hesitate to remove any script affected/exploited immediately without notice.

Thank you for your attention.