Several PHP vulnerabilities to note
Several important php.ini options
Register Globals
The default value for the Register_globals option for Php>=4.2.0,php.ini is off, and when Register_globals is set to ON, the program can receive various environment variables from the server, including form-submitted variables. And because PHP does not have to initialize the value of variables in advance, it can cause great security risks.
Example 1:
Copy Code code as follows:
Check_admin () is used to check the current user right, and if the admin sets the $is_admin variable to True, then the following determines if the variable is true, and then performs some of the administrative actions
ex1.php
if (Check_admin ())
{
$is _admin = true;
}
if ($is _admin)
{
Do_something ();
}
?>
This section of code does not initialize $is_admin in advance to Flase, if Register_globals is on, then we submit http://www.sectop.com/ex1.php?is_admin=true directly, You can bypass the validation of Check_admin ()
Example 2:
Copy Code code as follows:
ex2.php
if (Isset ($_session["username"]))
{
Do_something ();
}
Else
{
echo "You are not logged in!";
}
?>
Copy Code code as follows:
ex1.php
$dir = $_get["dir"];
if (Isset ($dir))
{
echo "";
System ("Ls-al". $dir);
echo "";
}
?>
Mixed eval (string code_str)//eval injection typically occurs when an attacker can control the input string
ex2.php
Copy Code code as follows:
$var = "Var";
if (Isset ($_get["arg"))
{
$arg = $_get["arg"];
Eval ("$var = $arg;");
echo "$var =". $var;
}
?>