ID: 31440
Updated by: [EMAIL PROTECTED]
Reported By: john at jelsoft dot com
-Status: Open
+Status: Feedback
Bug Type: Scripting Engine problem
Operating System: All
PHP Version: 4.3.10
New Comment:
Wow, lot of reproduce votes.
What Web server? Tell us more about your configuration as well.
Previous Comments:
------------------------------------------------------------------------
[2005-01-07 23:07:45] john at jelsoft dot com
Just to clarify why this is a very serious issue: any scripts using the
$GLOBALS array to clear all global variables set when registerglobals is
on (in order to simulate registerglobals being off) will run into major
problems. So:
foreach( $GLOBALS as $key => $val ) {
unset( $$key );
}
if ( $_GET['expression'] ) {
$output = "hello";
}
echo $output;
Will fail to unset all the global variables and so $output could have
bad values injected into it. It should be impossible to inject data
into $output, but this bug allows it to happen.
------------------------------------------------------------------------
[2005-01-07 13:36:49] john at jelsoft dot com
Description:
------------
With
register_globals on
it is possible to overwrite the $GLOBALS array from GET/POST/COOKIE
vars.
For example, try the script below:
script.php
(will print the full GLOBALS array)
script.php?GLOBALS[php]=error
(will print a GLOBALS array with just one entry)
_GET, _POST, etc superglobals are no vulnerable.
PHP5 does not exhibit this behaviour.
Reproduce code:
---------------
<a href="script.php?GLOBALS[php]=error">kill GLOBALS</a>
<pre>
<?php
print_r( $GLOBALS );
?>
</pre>
Expected result:
----------------
Full display of GLOBALS array
Actual result:
--------------
GLOBALS array with just one entry
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=31440&edit=1
