From: nobodx at fr dot fm
Operating system: win2k
PHP version: 4.3.4
PHP Bug Type: Variables related
Bug description: superglobals overwriting security issue
Description:
------------
When register_globals=Off, people (who have no other choice) would like to
use the function import_request_variables().
But this function CAN overwrite the superglobals variables like
$_SERVER... and so users can define variables supposed to be "protected".
Reproduce code:
---------------
<?
import_request_variables("g");
echo $_SERVER["REMOTE_ADDR"];
?>
File must be called with ?_SERVER[REMOTE_ADDR]=123
Expected result:
----------------
Expected to see my IP, not "123".
--
Edit bug report at http://bugs.php.net/?id=27432&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=27432&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=27432&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=27432&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=27432&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=27432&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=27432&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=27432&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=27432&r=support
Expected behavior: http://bugs.php.net/fix.php?id=27432&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=27432&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=27432&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=27432&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=27432&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=27432&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=27432&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=27432&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=27432&r=float
