CI is insecure with Register Globals enabled

[eluser]Jon L[/eluser]
okay, pretty much everyone with half a brain is aware that Register Globals are *bad*, but for the people that still have it enabled on their webservers, installing CodeIgniter opens up possible security flaws.

An example url is the following that allows you to generate a javascript link on the application 404 error page

/system/application/errors/error_404.php?heading=Click%20the%20link&message;=<a%20href="[removed]alert('hi');">click%20me</a>

To fix this immediately, you can modify your .htaccess file, and add the following line (this works on most, but not all, servers):

Code:

php_flag register_globals 0

[eluser]Crafter[/eluser]
Nice tip.

I've always used php_flag register_globals off.
Never realised 0 works.

Also this won' t work if your default apache override flag is not set. You'll have to unset $_REQUEST, $_POST, $_GET

BTW, your topic is a bit of a misnomer, as you prointed out in your first statement, because:
PHP is insecure with Register Globals enabled

[eluser]Jon L[/eluser]
re: misnomer - that may be, but my thought is that CI should make sure variables are being filled by CI, and not possibly passed via the URL (CI should be initializing all variables properly so they can't be filled by _REQUEST when not appropriate)

as for 0 vs off, i believe it's just a boolean value, so whichever works.

using ini_set won't work, as it would go into effect too late. also, using php flag values in htaccess usually doesn't work for SuPHP/PHPSuExec installs. (with SuPHP, it's actually possible to pass a different flag to achieve the same result)


btw, CodeCrafter looks interesting, just found it via your signature.

[eluser]Jon L[/eluser]
really, i probably should have posted this in the "bug and unexpected behavior" forum.

is it possible for us to get an official dev to weigh in on this issue? it really seems like parts of the system code aren't being instantiated properly, which is likely why the register global XSS hack is able to work.