Register Globals – Should the register_globals directive be turned Off?

Home Forums BulletProof Security Pro Register Globals – Should the register_globals directive be turned Off?

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
  • #3081
    John H

    I am posting in this topic. I apologise for this but for some reason I am again logging in and then when I click on the pro forum I seem to be then logged out and cannot create a new topic. However, I am allowed to post in a previous topic of mine. I am not sure whether I am doing something or the issue lies elsewhere.

    I have appreciated your help as I have been familiarising myself with BPS. I have two general questions please –

    1. I keep getting different stories about the security risk when PHP Register Globals is enabled. Backupbuddy tells me this is an issue, HostGator tells me it is not. Being security experts I trust your opinion on this. Is it a problem having them enabled?

    2. This is very general – I manage a lot of sites. Instead of engaging in a long process of dealing with the autorestore cron settings each time there is a plugin upgrade, I excluded plugins in the ‘exclude dynamic folders’ tab. I do have the plugin firewall on. Are there any security issues I should be aware of through doing this?

    Thanks again

    AITpro Admin

    We are currently experimenting with using HttpOnly in the BuddyPress Forum.  Most likely you will need to refresh your Browser and you will see that you are still really logged in.  There are apparently some issues with BuddyPress and using HttpOnly so we may not be able to use it with BuddyPress.  Shame it adds great security protection against XSS and session cookie protection.

    1.  The register_globals directive should be turned Off.  Security & Performance: Allow or Disallow the EGPCS variables, input data (POST, GET, cookies, environment and other server variables), to be registered as global variables. Perfomance increase by avoiding global scope script clutter with user data. Allowing register_globals will register form variables as globals and can lead to possible security problems.

    2.  No, there are not any security issues with turning AutoRestore Off when the Plugin Firewall is activated.  We actually recommend that you do exactly that.  No one but your IP address, Your Server’s/website IP address and your Domain name are allowed access to the plugins folder.  The Plugin Firewall is a true Firewall.  It is not a fancy or gimmick naming convention – the Plugin Firewall is a true Firewall.

    John H

    Thank you so much. The support you offer is the best I have come across. Now I will have another discussion with Host Gator!

Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.