Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
PHP Misconfiguration: register_globals Enabled
Abstract
Configuring PHP to register all environment, GET, POST, cookie, and server variables globally can lead to unexpected behavior and leaves the door open for attackers.
Explanation
When enabled, the
Example 1: The following code is vulnerable to cross-site scripting. The programmer assumes the value of
register_globals option causes PHP to register all EGPCS (Environment, GET, POST, Cookie, and Server) variables globally, where they can be accessed in any scope in any PHP program. This option encourages programmers to write programs that are more-or-less unaware of the origin of values they rely on, which can lead to unexpected behavior in benign environments and leaves the door open to attackers in malicious environments. In recognition the dangerous security implications of register_globals, the option was disabled by default in PHP 4.2.0 and was deprecated and removed in PHP 6.Example 1: The following code is vulnerable to cross-site scripting. The programmer assumes the value of
$username originates from the server-controlled session, but an attacker may supply a malicious value for $username as a request parameter instead. With register_globals enabled, this code will include a malicious value submitted by an attacker in the dynamic HTML content it generates.
<?php
if (isset($username)) {
echo "Hello <b>$username</b>";
} else {
echo "Hello <b>Guest</b><br />";
echo "Would you like to login?";
}
?>
References
[1] M. Achour et al. PHP Manual
[2] Standards Mapping - Common Weakness Enumeration CWE ID 473
[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[4] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[5] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[6] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.php.php_misconfiguration_register_globals