Let's take a look at this simple code.
<? PHP
Session_start (); $ _ session ['isadmin'] = 'yes'; $ isadmin = 'no'; echo $ _ session ['isadmin'];?>
When register_globals = off is configured in PHP. ini,
No problem,
Output yes,
When register_globals = on is configured in PHP. ini,
First Run output Yes
If you refresh the page, no is displayed. Obviously, this is not normal,
This is a strange problem,
If $ isadmin = 'no'; changes the session,
Why is yes displayed for the first time? All know: When register_globals = on is configured,
Through XXX. php? Id = 123 when accessing, the program automatically creates the variable ID
Will automatically created Variables change the session?
Test code
<? PHP
// XXX. php
Session_start ();
Echo $ _ session ['id'];
?>
Through XXX. php? Id = 123 access, no output,
Okay, or you don't know how many
Logon using session
PHP configures register_globals as on.
Will be logged on at will. There are also two common functions: import_request_variables () and extract ()
Import_request_variables -- import get/post/COOKIE variables to the global scope
Extract -- import the variable from the array to the current symbol table
<? PHP
// XXX. phpimport_request_variables ('G ');
Echo $ ID;?>
When using XXX. php? Id = 123,
Even if register_globals is set to off
It will also output 123 extract ($ _ Get) and import_request_variables ('G') functions are similar. So will the variables created by import_request_variables () and extract () affect the session?
Test code
<? PHP
// XXX. php
Session_start (); import_request_variables ('G'); echo $ _ session ['id'];
?>
When using XXX. php? Id = 123 access program,
No output. Use extract ($ _ Get) instead of import_request_variables ('G') for testing,
Still no output, this is strange, because the test
<? PHP
Session_start ();
$ Arr = array ('id' = & gt; 123 );
Extract ($ ARR );
Echo $ _ session ['id'];
?>
When register_globals is on
It will output 123 and it looks like an array,
Extract processing $ _ Get and processing the defined array
Different methods are used. Conclusion:
When register_globals is on,
Variables created with import_request_variables ('G') and extract ($ _ Get) do not change the session. Summary: The vulnerability only exists when PHP configures register_globals = on, and the defined Variables change the session with the same name.