Global Space Exploitation is on Rise Again.

Insecurities in PHP based Web Applications.

Aditya K Sood, SecNiche
zeroknock [at] secniche.org


Analysis

The global namespace play a vital role in application security and vice versa.The namespace holds importance in the context in which it is defined.It means the global setting and calling of variable.It is critical from security point of view.The namespace in which a variable is used can act as a infection vector if not properly defined.The exploitation of namespaces and declarations are specific now a days.The major problem occurs due to coding error.This cant be circumvented because of human factor.The rogue initialisation of variable in the function creates a security hole in the application.Lets look at the underlined example: 

		function authorisation()
			{
				if ( $access == "" )
				{
					echo("No Access Check Can Be Performed!");
				return;
				}
			}
In the above example $access is checked for null parameter but if you look than the variable is not properly initialised in the global namespace.As a result of which when the script is called in the browser the attacker can inject any wrong value in it and let the script to execute.This is the major security hole now a days.This point is very critical to understand.If we declare the value as underlined as: 
		$access=2
		function authorisation()
			{
				if ( $access == "" )
				{
					echo("No Access Check Can Be Performed!");
				return;
				}
			}
Most of the coders think that by initilaising the $access in the global namespace the processing will be right.But this is not a case with php.The core problem in the above present code is the variable is defined globally but when $access is called in the function context no global specifier is used. The result of this layout is cross referencing of the variables.The references are passed in a wrong manner from global to local.This makes the function to return result of any kind which is not predictable.The attackers are high on this and try to play with global specifier.The attacker inject different initalisation parameter through the URL.The error generation can not be controlled if right injection occurs and information will be leveraged out of the application. Rather the proper code will be under mentioned as: 
		$access=2
		function authorisation()
			{
				if ( global $access == "" )
				{
					echo("No Access Check Can Be Performed!");
				return;
				}
			}
The global reference is passed in a right sequential manner.The same case happen with static variables.If static variable is not initialised well then security flaw is hard to deny.A minor mistake in the code makes the attacker to inject parameter of its own choice and allowing them to exploit the application.



Example:

The analysis provided underlined will deface this concept in a best perspective.The analysis is undertaken on the website where this concept is applicable.The global space exploitation leads to XSS injection very easily.As we know PHP based web application use the concept of variables. These variables can be initialised locally as well as globally.If initialisation occurs in worng way than it becomes easy to inject mal stuff in that.Some times the web developers wont pay attention and it can be easily programmed on the fly.

The two things should remain in mind:

1.Initialisation of variables to cross check.
2.Initialisation of modules.

This is the easiest way to play with glbal spaces if one knows the code pattern of the web application. Lets see:

	 	The trimmed URL:

	 	newsdetails.php?iNewsid=137
	 	newsdetails.php?month=11
This means the [iNewsid] and [month] are the two arguments whose parameteric values are to be passed to the PHP based functions.The limits of these parameters are restricted to locally or globally if programmed in a right sequential manner.But if the initialisation is not set right , the XSS will occur.This we are going to analyze.

Lets start with some injection to check whether it is getting injected in the web applications.




The XSS injections are getting to flourish.If you see exactly the trimmed URL is transformed to the encoded format but still xss occurs.The xss injection is used is:

	 	iNewsid='<h2>XSS I am In.</h2>
	 	iNewsid='<p>XSS I am Strangling In.</p>

Lets look at the code snippet:




The code gets directly injected in the web page.Actually a parameter is passed to the newsdetails.php? and see how it gets easily subjected to web page.




Lets look at the code snapshot:




The final test :




The analysis is right. The consequences of global space exploitation is on your way.