[thelist] PHP sessions & security, etc

Aleem Bawany aleem.bawany at utoronto.ca
Thu Dec 12 05:41:01 CST 2002

> The PHP manual page I referred you to above has a fine
> explanation of the security issues.  The concern is not that
> someone can "pull these variables out" somehow and gain
> access to the data in them, it is that anyone who can access
> your script via the web can add arbitrary global variables
> into your script as easily as sticking "?var=val" onto the
> end of the URL.  One mistake in your code (such as unwary use
> of an uninitialized variable) can potentially lead to anyone
> being able to execute arbitrary code as the web user on your
> server.  This is a serious issue, and if you read BugTraq
> you'll see that PHP sites and software packages are regularly
> discovered to be vulnerable to this type of
> 'variable-poisoning' attack.

A measure you should always take is to ensure that your variables are
intialized at the beggining of your script. Alternatively you could
destroy all variables that you intend to use globally, in your init()
routine or at the top of the page using unset($varname). This ensures
that any variables passed in the URL are destroyed at the beggining of
your script.


[ http://members.evolt.org/aleem/ ]

More information about the thelist mailing list