#31440 [Ver->Csd]: [PATCH] GLOBALS array overwritten from GET/POST/COOKIE vars

Wed, 16 Feb 2005 21:50:21 -0800 

 ID:               31440
 Updated by:       [EMAIL PROTECTED]
 Reported By:      john at jelsoft dot com
-Status:           Verified
+Status:           Closed
 Bug Type:         Scripting Engine problem
 Operating System: *
 PHP Version:      4CVS, 5CVS (2005-02-15)
 New Comment:

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.




Previous Comments:
------------------------------------------------------------------------

[2005-02-17 05:28:03] [EMAIL PROTECTED]

Here's better patch, by Ilia:

  http://www.php.net/~jani/patches/bug31440.patch



------------------------------------------------------------------------

[2005-02-15 12:49:55] [EMAIL PROTECTED]

note: In HEAD you _can_ overwrite GLOBALS with this:

script.php?GLOBALS=error

but NOT with this:

script.php?GLOBALS[php]=error

------------------------------------------------------------------------

[2005-02-15 12:48:48] [EMAIL PROTECTED]

Here are some patches I wrote to fix this:

For PHP_4_3 branch: 
  http://www.php.net/~jani/patches/bug31440.php_4_3_patch
 
For HEAD branch:
  http://www.php.net/~jani/patches/bug31440.php_HEAD_patch


------------------------------------------------------------------------

[2005-01-07 13:36:49] john at jelsoft dot com

Description:
------------
With 
register_globals on 
it is possible to overwrite the $GLOBALS array from GET/POST/COOKIE
vars.

For example, try the script below:

script.php
(will print the full GLOBALS array)

script.php?GLOBALS[php]=error
(will print a GLOBALS array with just one entry)

_GET, _POST, etc superglobals are no vulnerable.
PHP5 does not exhibit this behaviour.


Reproduce code:
---------------
<a href="script.php?GLOBALS[php]=error">kill GLOBALS</a>

<pre>
<?php

print_r( $GLOBALS );

?>
</pre>


Expected result:
----------------
Full display of GLOBALS array

Actual result:
--------------
GLOBALS array with just one entry


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=31440&edit=1

Reply via email to