解開:register_globals應該是:ON或是OFF的疑惑
解開:register_globals應該是:ON或是OFF的疑惑
購物網站架設時:Oscommerce 安裝一開始,若是原始碼 register_globals = Off是無法安裝的。
如果你是租用虛擬主機(不能自己修改php.ini時)不妨考慮安裝:Twe-Commercs
因為Twe-Commercs剛好相反!register_globals = Off是可以安裝的!
購物網站架設時:ZenCart 安裝一開始,若是原始碼 register_globals = On 會出現安全問號。
入口內容站架設時:Joomla 安裝一開始,若是原始碼 register_globals = On 是無法安裝的。
那 register_globals 應該是:ON或是OFF才好呢?
用Google搜尋到這篇文章,或許可以解開大家的疑惑。
2006-09-05 PHP多項未指明的漏洞 ( 資料來源:SecurityFocus )
PHP 在zend_hash_del()的功能中發現一個弱點。對於信任使用unset函數的PHP程式,攻擊者可以用暴力法傳遞任意初始化的函數。
這個漏洞對於將參數register_globals預設為「開啟(enable) 」的系統影響特別明顯,在Red Hat Enterprise Linux中register_globals預設成「關閉 (disable)
因此要把register_globals設為On,又能安裝或是使用Oscommerce,可以下載patch檔後覆蓋。
它的 readme 說明檔如下:
引用:
CHANGES TO REMOVE register_globals REQUIREMENT – V 1.5 – Richard Bentley 01/09/2006
———————————————————————————–
Before proceding, read the README file !
In this directory, you will find a set of files that have been pre-patched. The net result
is exactly the same as applying the patch instructions yourself.
There are 13 files in total that have replacements. These are as follows :
Admin…
———
…/admin/products_attributes.php
…/admin/includes/application_top.php
…/admin/includes/functions/general.php
…/admin/includes/functions/sessions.php
On a default installation of OSC, the 'admin' directory is actually contained within the
'catalog' directory (ie …/catalog/admin/), but I have split it out here to make the
division clearer (as an aside, you will find that if you move admin/ out of catalog/,
it makes the admin section somewhat more straightforward to secure, but this is outside
the scope of this patch)
Catalogue…
————
…/catalog/install/includes/application.php
NOTE: If you have already installed OSC (ie – run through the installation procedure),
—- then the above file may not exist (in which case you should not add it back in
with the replacement file); once installation of OSC is complete, you should
delete the whole of the …/catalog/install/ directory – it is not needed after
installation and having it hanging around is a security risk
…/catalog/includes/application_top.php
…/catalog/include/classes/order.php
…/catalog/includes/functions/general.php
…/catalog/includes/functions/gzip_compression.php
…/catalog/includes/functions/sessions.php
…/catalog/includes/languages/english/password_forgotten.php
…/catalog/includes/languages/espanol/password_forgotten.php
…/catalog/includes/languages/german/password_forgotten.php
NOTE: I have NOT included a pre-patched version of the easypopulate file. This is because
—- it will probably be out of date by the time you read this. Instead, if you need to
patch easypopulate (if it STILL needs patching, and by now it really should have been
reworked so that it doesn't need patching) then refer to the manual patching
instructions (the very last entry in the admin_patch text file will tell you what
you need to do – it's very simple… honest)
=======================================================
>>> WARNING <<<
These files are based on the MS 2.2 release, dated 17/09/2006 (ie – the
security/bugfix update #2 to the original MS 2.2). If you are using some other version
of OSC then I strongly suggest you apply this patch manually and NOT use these pre-patched
files. The exception to this is the security/bugfix release 13/11/2005; it is ok
to patch this version directly with these files; see the README file for more details
=======================================================
>>> WARNING <<<
If you have already applied some other changes (contributions/patches) to your OSC code
then make sure you are not blatting over those changes by copying these files over. If in
doubt then I strongly suggest you use the manual instructions in the 'patch_instructions'
directory and apply the patch line by line; despite what many people say, it really
doesn't take very long – it took me about 20 minutes!
=======================================================
INSTALLATION
————
1/ Copy the above files to their appropriate places in your existing OSC code tree
2/ Make sure you set the permissions of the replacement files appropriately for the
environment you are using. If you fancy getting the shit hacked out of you then
feel free to set permissions of '777'. If you fancy something a tad more secure
then I suggest engaging brain and thinking about it 🙂
If you don't KNOW how to set some sensible file pemissions then find yourself
a good text book and learn how to use your computer
3/ It's been mentioned in the README file already, but once you have made this
change, you MUST disable the register_globals option in php.ini
ie, in php.ini :
register_globals = Off
=======================================================
參考下載網頁: http://www.oscommerce.com/community/contributions,2097/category,all/search,register_globals