Okay, here we go - in some cases it is impossible to get your host to shut off register globals, or your host doesn't allow php config in .htaccess - (cgi) - well, I hope I can help... I am not saying this is full proof - but, under testing it stopped all the common exploits.
-
Open /inc/header.inc.php, add this function before the last ?> php tag:
-
function unregister_my_globals()
{
$register_globals = @ini_get('register_globals');
if ($register_globals === "" || $register_globals === "0" || strtolower($register_globals) === "off"){return;}
if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])){exit('It\'s not going to be so easy hacker!!');}
$no_unset = array('GLOBALS', '_GET', '_POST', '_COOKIE', '_REQUEST', '_SERVER', '_ENV', '_FILES');
$input = array_merge($_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_FILES, isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array());
foreach ($input as $k => $v)
{
if (!in_array($k, $no_unset) && isset($GLOBALS[$k]))
{
unset($GLOBALS[$k]);
unset($GLOBALS[$k]); // Double unset to circumvent the zend_hash_del_key_or_index hole in PHP <4.4.3 and <5.1.4
}
}
}
-
Then also before the final php tag, call the function:
unregister_my_globals();
-
That will work for ALOT of the known exploits - as well as some unknown :)
-
Hope this helps those who can't help thier register global problem.
-
Chris
