Support » Fixing WordPress » Problem with 1.5.2 with regard to PHP’s “register_globals”

  • Hello everyone,

    Okay, I don’t know if anyone has encountered this problem before. Furthermore, I am not sure whether I am able to express the problem I have very well here. But I will try my best.

    Basically, this has to do with the variable $DOCUMENT_ROOT with regard to PHP. I am using this tag on my main blog page as I have to call an external script (non WP-related) from another folder in my base directory.

    When I was using 1.5.1.3 without the new coding in wp-settings.php where it disables the “register_globals” setting, my script was able to work fine. Mainly because the $DOCUMENT_ROOT was directed to http://www.mydomain.com.

    After upgrading to 1.5.2, the script I am using suddenly stopped working because the $DOCUMENT_ROOT was now directed to http://www.mydomain.com/wp-content/themes/carrots/

    Assuming that the above problem was attributed to the new lines of code added in wp-settings.php regarding the “register_globals” security fix.

    I managed to solve the problem temporarily by replacing my wp-settings.php with the old file (From 1.5.1.3) while the rest of my WordPress is running on the 1.5.2 files. However, I fear that this problem may recur again when the next release comes out.

Viewing 14 replies - 1 through 14 (of 14 total)
  • I think most people’s advice would be to revise your script rather than using the old wp-settings.php file. This was changed because of a security issue, which has been exploited on people’s sites.

    Using the old file leaves your site vulnerable – not recommended.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    The register_globals exploit that was fixed in WP v1.5.2 was not WordPress-specific. It is a vulnerability in all PHP scripts which make use of register_globals. In fact, most experts believe that register_globals is nothing but a big security hole that should be disabled as a default security precaution on all servers. So, LesBessant is right, you really should revise your script.

    Thread Starter autumnqiu

    (@autumnqiu)

    The script is not mine, unfortunately. 🙁 It was downloaded from elsewhere, and is pretty essential in helping me keep track of my site.

    Well, I was looking through the entire script (it is made up of a bunch of files, and it calls one another using the $DOCUMENT_ROOT variable) and due to my negligible PHP knowledge, I couldn’t really do anything. *blushes*

    Unless someone is able to help me find an alternative way to code this? 😛

    <?include_once($DOCUMENT_ROOT.”/useronline/addonline.php”);?>

    There are several more $DOCUMENT_ROOT-s in all the other script files as well which I need to replace in order for it to work well with the latest WordPress release. 🙁

    You can replace all instances of $DOCUMENT_ROOT with $_SERVER['DOCUMENT_ROOT'].

    register_globals takes the super-global variables and makes the individual components of each super-global array into a unique variable. It does a lot more than that, too, so feel free to read the link above.

    If this is all you require from register_globals, then it’s pretty easy to search-and-replace your way through the fix. It’s when you code an entire script with the expectation that register_globals is enabled that you have more trouble.

    Thread Starter autumnqiu

    (@autumnqiu)

    Eh… I apologise, but I have absolutely zero (or almost) knowledge of PHP and so I couldn’t really understand the articles there.

    According to the article, the “Document Root” is defined as:
    The document root directory under which the current script is executing, as defined in the server’s configuration file.

    If the configuration file is coming from the server, why did the $DOCUMENT_ROOT suddenly change to the WP themes directory? :X

    If the above question I posed sounds stupid, don’t forget that this is coming from a PHP idiot like me. 😛

    Anyone willing to coach me one on one through MSN? :X I will be extremely grateful to you.

    If
    <?include_once($DOCUMENT_ROOT."/useronline/addonline.php");?>

    is the only occurence, replace the line with
    <?include_once("http://example.com/useronline/addonline.php");?>

    where “example.com” should be replaced with the right url (the url of your site)

    else replace the “DOCUMENT_ROOT” with what skippy suggested.

    Skippy was suggesting a quickfix, and then suggesting that you can read up some references, only if you have the penchant for these things, else it is okay to skip the reading 😉

    Thread Starter autumnqiu

    (@autumnqiu)

    Hi carthik! I have tried replacing it with the following code before:

    <?include_once(“http://example.com/useronline/addonline.php&#8221;);?>

    but it didn’t work.

    I will now try replacing all the “$DOCUMENT_ROOTS” with “$_SERVER[‘DOCUMENT_ROOT’]” and hope for the best. 😛

    Thread Starter autumnqiu

    (@autumnqiu)

    Just to check, $_SERVER[‘DOCUMENT_ROOT’] should work on ALL pages including non WP static pages, right? 😮

    Because now all my WP main page is logging fine in the script while my static pages aren’t. 🙁

    Where have I gone wrong?

    Maybe you should try contacting the folks who wrote the logger, since we don’t know much about it, besides what you have let us know.

    Thread Starter autumnqiu

    (@autumnqiu)

    I don’t even know who wrote the logger, because it was from a friend who claimed it was written by someone else.

    Ah well. Thanks for the help rendered. At least the problem is partly solved now, as in, the logger is now logging all accesses to the WP mainpage whereas it isn’t logging the other static pages, unlike not even logging at all before we started.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    You may want to try an alternative logger, like ShortStat. The current version can be found here: http://www.shauninman.com/plete/2005/01/nofollow-the-leader

    There are also several statistics plugins for WordPress, but they will not be able to log visits to your non-WordPress pages.

    http://codex.wordpress.org/Plugins/Statistics

    Thread Starter autumnqiu

    (@autumnqiu)

    Mmm… sounds good! I’ll look into that. Thanks Macmanx! 😛

    Thread Starter autumnqiu

    (@autumnqiu)

    Actually, I was looking at an alternative way on how to disable register_globals via a .htaccess file.

    http://www.taskspro.com/documentation/register_globals.html

    How is this different from the method implemented by WordPress?

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Unfortunately, the .htaccess trick may not work with some hosting providers, because it is common practice for shared hosting providers to disable the php_flag variable. Upgrading to WordPress v1.5.2 is a much better solution, because you can do it under any hosting provider, and it won’t affect your ability to run other scripts which require register_globals.

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Problem with 1.5.2 with regard to PHP’s “register_globals”’ is closed to new replies.