On Wednesday 01 August 2001 02:02, Yasuo Ohgaki wrote:
> "Meir Kriheli" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>
> > Hi,
> > I need another pair of eyes to see if I've overlooked something.
>
> SNIP
>
> > so
> > '{pass1}=={pass2}'
> >
> > is converted to
> > '$GLOBALS['pass1']==$GLOBALS['pass2']'
> >
> > When to form is validated I'm running eval() to evaluate the
>
> expression. I'm
>
> > concerned that there's an exploit somewhere, maybe a user entering
>
> some
>
> > malicious data (I don't like using eval that often). But I'm not
>
> using eval()
>
> > directly on user entered data, and I can't see where it is possible.
>
> Where pass1,pass2,etc came from? I guess from user and you set
They come from the form.
> register_globals=on in your php.ini. If this is the case, your script
> is exploitable probably.
> "register_globals=off" in your php.ini and use $HTTP_*_VARS.
>
> If you want to protect values set by PHP also, I've posted sample
> function at zend.com recently.
> http://www.zend.com/codex.php?id=626&single=1
> (Protect values (GET/POST/COOKIE) set by PHP)
>
> Regards,
> --
> Yasuo Ohgaki
I don't think this is much of a problem. I unset() all the global session
variables before I use them so this should be no problem.
Even if an attacker tries to set some value for a script variable, this var
will be unset() and then read from the session, so no harm is done.
On the other hand there should be no probelem to change GLOBALS to
HTTP_XXX_VARS.
But as i've said this isn't a problem. Can you see some way to exploit the
eval() function ?
Thank you
--
Kriheli Meir
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
