As if we needed more evidence that register_globals is bad

Share:

For the past few years, PHP security experts have been pounding on the heads of sysadmins to turn off register_globals.  While default installs of PHP turn it off, some popular web apps (especially older versions) insist on using it, so some webhost sysadmins will turn it on, presumably to make things go smoothly for their customers.  Oops!

CVE-2007-0233, what seems like the 300th Wordpress vulnerability in the last two weeks, reports an sql injection vulnerability in Wordpress 2.0.6 (which was only released 11 days ago).  The exploit appears to rely on register_globals being enabled, though:

funkatron@foo > php xpl.php foo.com /wp/

---------------------------------------------------------------------------
Wordpress < = 2.0.6 wp-trackback.php Zend_Hash_Del_Key_Or_Index /
/ sql injection admin hash disclosure exploit
(needs register_globals=on, 4 <= PHP < 4.4.3,< 5.1.4)
by rgod
dork: "is proudly powered by WordPress"
mail: retrog at alice dot it
site: http://retrogod.altervista.org
---------------------------------------------------------------------------

pwd hash   ->
admin user ->
exploit failed…
This is a good example of why web app security (and any security, for that matter) must be multilayered: on the hardware level, on the server daemon level, on the language environment level, and on the code level. So, for the love of god, STOP ENABLING REGISTER_GLOBALS, upgrade to Wordpress 2.0.7, and (shameless plug) use PhpSecInfo to audit your PHP environment. wink

Comments

Posted by Sicurezza, ICT ed altro » Blog Archive &raqu
on Tuesday, January 16, 2007 at 10:53 AM

[...] Anche Wordpress 2.0.6 è (già) vulnerabile. Questo post del Cerias discute la questione, e mette in evidenza come la “sicurezza multilivello” sia necessaria proprio per limitare le conseguenze di  una vulnerabilità di uno dei tanti componenti di un sito/sistema/sistema informativo. [...]

Posted by PHP Devils » As if we needed more evidence t
on Sunday, March 4, 2007 at 02:26 PM

[...] Небольшая заметка о вреде включенных register_globals. For the past few years, PHP security experts have been pounding on the heads of sysadmins to turn off register_globals. While default installs of PHP turn it off, some popular web apps (especially older versions) insist on using it, so some webhost sysadmins will turn it on, presumably to make things go smoothly for their customers. Oops! Web app security (and any security, for that matter) must be multilayered: on the hardware level, on the server daemon level, on the language environment level, and on the code level. [...]

Leave a comment

Commenting is not available in this section entry.