register_globals errors

[Matt]

If your server is receiving these errors in your PHP scripts it is because register_globals has been disabled.

register_globals is a security risk and had not been enabled in PHP by default as of version 4.2.0. This setting is also disabled in PHP5 and the rumor mill says that this option is not even going to be an option in PHP6.

Most of the servers already have this setting off however for some time we have kept older servers enabled with this option for older sites that rely on it.

If you recently found register_globals errors on your website it probably means the scripts are running have not been updated in a very long time. (PHP 4.2.0 came out in April 2002)

We suggest that you update your open source software to the latest version or patch your scripts accordingly if you wrote them yourself so that they do not require register_globals to be enabled.

If this is not immediately possible for you, please open a ticket at our helpdesk and we will deal with your situation on a case by case basis.

We will post patches to commonly used scripts as we see requests for them. These patches can generally be applied without updating the entire script, however, if you are getting these errors it is probably time to update your script as it is likely not the only security risk found in your script.

Please remember to keep your scripts up to date and running the latest versions to remain compliant with our Terms Of Service. Keeping the scripts up to date also limits your risk of site breakage when security patches like this are released or installed.

Most every software distribution these days has a low volume mailing list for release notifications. If you run open source scripts we strongly suggest that you subscribe to these update notification lists so that you always remain current.

Security updates like this help to increase overall uptime and reduce potential site damage due to hacked sites from known security holes.

We apologize in advance for any inconvenience caused by these security updates and please know that they are directly for the benefit of your site.

======================
Patches
======
OSCommerce temp fix for register globals
http://www.oscommerce.com/community/contributions,2097

[Matt]

Here is another workaround to get your broken scripts running while you solve the underlying problem having to due with outdated software and register_globals.

Upload a file called php.ini to the directory of the script that has the errors. This file if it does not already exist, will have this line of code in it:

Code:

register_globals = on

If you already have a php.ini you can add the line of code above to the file, on a new line, then save the file.

This will allow your cart (or other software) to immediately run again.

However, it has opened your site up to potential security problems which we strongly encourage you to address, as soon as possible.

We recommend that you update the software to the latest version. This should resolve the issue with register_globals being required to be on in order for the software to run.

If you update the software in the same installation directory where it exists currently, make sure to delete the php.ini file from the server once you have completed the update process.

If you have a php.ini that has other directives besides

Code:

register_globals = on

then you can keep the php.ini installed if needed, but make sure to remove the line that says

Code:

register_globals = on

so that you can remove the potential security hole completely after update.

If you have problems updating your software, which you may, because earlier versions of some scripts did not have easy upgrade paths like most do today, your other option is to make a fresh installation of the software in another directory, then import your database. This may, or may not work because some of the upgrades that have been released since your version may have contained database schema updates. However it may be worth a try on some scripts where only the php scripts may have changed.

The other option is to make a fresh install, then manually recreate the store, or import portions of the database that will work from the old version, to the new version, to save some time.

The final option of course it to hire a qualified programmer to handle the upgrade path for you.

In all cases above dealing with a fresh install in a secondary directory, once you have verified that it is working properly in the secondary directory (example: /cart2), you can rename or delete the entire directory that contains the outdated software (example: /cart), then rename the folder that contains the new software, to the same name as the old software directory.

This makes it so that you do not have to recode the links on your site to point to the new software installation.

For example, if you have an old shopping cart located at:
http://example.com/cart
you would make a fresh installation at
http://example.com/cart2

Once you verify /cart2 works fine, you would rename /cart to /oldcart (for backup purposes) then rename /cart2 to /cart.

Your new updated cart will exist at the same location as the old one, and you now have an backup of the outdated cart at /oldcart

You should remove /oldcart as soon as possible from the server so that you have one less potential security problem running on your site to worry about.

Hopefully that will help some of you out.

[andychev]

Would have loved some warning on this one! Never Mind!

For anyone using oscommerce the 'upgrade' is fairly straight forward. If you got the link matt posted above and download the lastest version of the patch. If you have done mods to you site and dont want to start from scratch you will need to go through the following process:

Application_top.php, in both admin/includes and catalog/includes a simple change is needed at the top of this file to comment out the following lines of code:

// Check if register_globals is enabled.
// Since this is a temporary measure this message is hardcoded. The requirement will be removed before 2.2 is finalized.
// if (function_exists('ini_get')) {
// ini_get('register_globals') or exit('FATAL ERROR: register_globals is disabled in php.ini, please enable it!');
// }

Step 2 is to replace sessions.php in both admin/includes/functions and catalog/includes/functions

If you have mods install then 99% of the time they dont affect these files so just overwrite them with the new one.

Step 3 in product_attributes.php in /admin add the following lines of code under

require('includes/application_top.php');
$languages = tep_get_languages();


ADD:

link_get_variable('option_page');
link_get_variable('value_page');
link_get_variable('attribute_page');

Step 4 in general.php in admin/includes/functions and catalog/includes/functions

find the function:

function tep_browser_detect($component) {

replace the entire function (a couple of lines ending in } with

function tep_browser_detect($component) {

return stristr($_SERVER['HTTP_USER_AGENT'], $component);

}

Then before the last ?> ADD:

function link_get_variable($var_name)
{
// Map global to GET variable
if (isset($_GET[$var_name]))
{
$GLOBALS[$var_name] =& $_GET[$var_name];
}
}
function link_post_variable($var_name)
{
// Map global to POST variable
if (isset($_POST[$var_name]))
{
$GLOBALS[$var_name] =& $_POST[$var_name];
}
}

Step 5 replace gzip_compression.php with the new version in catalog/includes/functions

Step 6 in order.php in catalog/includes/classes find

$this->customer = array();
$this->delivery = array();
if (tep_not_null($order_id)) {
$this->query($order_id);
} else {

UNDERNEATH ADD

link_post_variable('cc_type');
link_post_variable('cc_owner');
link_post_variable('cc_number');
link_post_variable('cc_expires');
link_post_variable('comments');


Once that is done that should get you back to the store functioning correctly. Some of the additional mods may require extra basic tweeking but you shop will be functioning and secure after the above is done.

[Matt]

Would have loved some warning on this one!

Thats the same thing I say when we get hacked.

Thanks for the contribution for OS Commerce.

[andychev]

Thats the same thing I say when we get hacked.

Point Taken!