ID: 31440 Updated by: [EMAIL PROTECTED] Reported By: john at jelsoft dot com -Status: Open +Status: Feedback Bug Type: Scripting Engine problem Operating System: All PHP Version: 4.3.10 New Comment:
Wow, lot of reproduce votes. What Web server? Tell us more about your configuration as well. Previous Comments: ------------------------------------------------------------------------ [2005-01-07 23:07:45] john at jelsoft dot com Just to clarify why this is a very serious issue: any scripts using the $GLOBALS array to clear all global variables set when registerglobals is on (in order to simulate registerglobals being off) will run into major problems. So: foreach( $GLOBALS as $key => $val ) { unset( $$key ); } if ( $_GET['expression'] ) { $output = "hello"; } echo $output; Will fail to unset all the global variables and so $output could have bad values injected into it. It should be impossible to inject data into $output, but this bug allows it to happen. ------------------------------------------------------------------------ [2005-01-07 13:36:49] john at jelsoft dot com Description: ------------ With register_globals on it is possible to overwrite the $GLOBALS array from GET/POST/COOKIE vars. For example, try the script below: script.php (will print the full GLOBALS array) script.php?GLOBALS[php]=error (will print a GLOBALS array with just one entry) _GET, _POST, etc superglobals are no vulnerable. PHP5 does not exhibit this behaviour. Reproduce code: --------------- <a href="script.php?GLOBALS[php]=error">kill GLOBALS</a> <pre> <?php print_r( $GLOBALS ); ?> </pre> Expected result: ---------------- Full display of GLOBALS array Actual result: -------------- GLOBALS array with just one entry ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=31440&edit=1