[SOLVED] Lynis tells me I have (removed?) PHP option register_globals option is turned on

OtagoHarbour · 06-07-2014, 10:02 AM

I am running PHP 5.4.4-14 on Debian 3.2.41-2+deb7u2 x86_64 GNU/Linux.

I get a message from lynis

Code:

[10:39:07] Warning: PHP option register_globals option is turned on, which can be a risk for variable value overwriting [test:PHP-2368] [impact:M]

However this link tells me that register_globals was removed in PHP version 5.4.0.

How can it be turned on if it has been removed?

Thanks,
OH

michaelk · 06-07-2014, 10:58 AM

Have you actually verified for yourself that register_globals is turned on? You can see how PHP is configured.

If php CLI is installed run:
php -i | grep register_globals

or you can create a web page.
<?php phpinfo(); ?>

OtagoHarbour · 06-07-2014, 12:52 PM

Thank you for your reply.

Quote:

Originally Posted by michaelk

Have you actually verified for yourself that register_globals is turned on? You can see how PHP is configured.

If php CLI is installed run:
php -i | grep register_globals

This did not give me anything.

Code:

$ php -i | grep register_globals
$

Quote:

Originally Posted by michaelk

or you can create a web page.
<?php phpinfo(); ?>

That gave me output similar to what is shown here. But ctrl-F for "register_globals" returned no results.

Thanks,
OH

michaelk · 06-07-2014, 01:27 PM

I've never played with lynis but as stated since register_globals was removed in 5.4.0 and since it does not show in phpinfo then nothing is wrong with your system.

Besides register_globals default went from on to off in version 4.2.0 so the directive being removed or not in the php.ini is being misreported.

OtagoHarbour · 06-07-2014, 04:53 PM

Quote:

Originally Posted by michaelk

I've never played with lynis but as stated since register_globals was removed in 5.4.0 and since it does not show in phpinfo then nothing is wrong with your system.

Besides register_globals default went from on to off in version 4.2.0 so the directive being removed or not in the php.conf is being misreported.

Thanks again!
OH

mboelen · 06-08-2014, 11:40 AM

Upcoming release will test for PHP version and skip the test when needed!

OtagoHarbour · 06-08-2014, 12:39 PM

Quote:

Originally Posted by mboelen

Upcoming release will test for PHP version and skip the test when needed!

That's good to know.

Thanks for the info.,
OH