search

opless / phpliteadmin

Automatically exported from code.google.com/p/phpliteadmin
0 stars 0 forks source link

Auto-Logout if register_globals is on #15

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. in php.ini set register_globals=On
2. Login
3. Click any link / reload

What is the expected output? What do you see instead?
I get logged out.

What version of the product are you using? On what operating system?
I use v1.8.5 on Debian Linux, php5.2.5 (cgi)

Original issue reported on code.google.com by Christia...@gmail.com on 28 Apr 2011 at 7:29

GoogleCodeExporter commented 9 years ago 
v1.8.3 not 1.8.5 :)

Original comment by Christia...@gmail.com on 28 Apr 2011 at 7:30

GoogleCodeExporter commented 9 years ago 
Just downloaded and tried phpliteadmin and I'm getting this problem. Only my 
register_globals is off. I'm running CentOS 5.5 and php 5.1.6 via fastcgi 
(lighttpd).

Original comment by stan...@gmail.com on 4 May 2011 at 5:14

GoogleCodeExporter commented 9 years ago 
I'm getting this problem too... Maybe a PHP5 issue? I am running on Abyss X1 
web server and getting this issue

Original comment by nick.kel...@gmail.com on 10 May 2011 at 11:20

GoogleCodeExporter commented 9 years ago 
I was also getting this problem until I turned register_globals off. I'm using 
phpliteadmin v1.8.4 with PHP v5.2.10 and Abyss Web Server v2.6.

Original comment by jue...@hotmail.com on 22 May 2011 at 2:47

GoogleCodeExporter commented 9 years ago 
You need to turn register_globals off. v1.8.5 won't let you proceed without 
doing so.

Original comment by daneirac...@gmail.com on 28 May 2011 at 11:15

GoogleCodeExporter commented 9 years ago 
Sorry to hear that. Its a customers webspace and there i cant remove 
register_globals because none of their scripts would work anymore. So for now I 
removed the whole authentication and added a htpasswd in this directory.

Original comment by Christia...@gmail.com on 3 Jun 2011 at 6:14

GoogleCodeExporter commented 9 years ago 
Yeah, I would like for it to work whether register_globals is turned on or off, 
but I don't know how to do it. Do you have any ideas? This is definitely 
something to work on.

Original comment by daneirac...@gmail.com on 3 Jun 2011 at 8:08

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
Seems to be fixed in v1.8.6 ? I just commented out the register_globals-warning 
and everything went fine - may somebody else proof this pls ? Thanks for fixing 
btw :)

Original comment by Christia...@gmail.com on 8 Jun 2011 at 12:52

GoogleCodeExporter commented 9 years ago 
I guess this is fixed now. If not, feel free to reopen this issue.

Original comment by daneirac...@gmail.com on 2 Jun 2012 at 10:31

GoogleCodeExporter commented 9 years ago 
Well, by default phpLiteAdmin does not allow you to work with register_globals 
enabled. Therefore, auto-logout is of course no issue any more ;-)

We could think about whether we want phpLiteAdmin to work although 
register_globals is enabled, though.

But I think register_globals opens lots of security problems. Therefore, I 
think it is not bad to force people to disable it.

In my opinion, register_globals should have been dropped completely in PHP5 
already. At last, it has been marked deprecated in PHP 5.3 and dropped in 5.4.

So if anybody still uses it, he should really learn how to use GET/POST.

By the way: If somebody really has old code that needs register_globals 
enabled, you can manually register all globals at the top of your script. See 
http://de.php.net/manual/en/security.globals.php#82213

We could also allow register_globals to be enabled and manually unset all 
registered global variables. Lots of example functions around, e.g. this one: 
http://de.php.net/manual/en/security.globals.php#87101

Original comment by crazy4ch...@gmail.com on 2 Jun 2012 at 10:45