From: [EMAIL PROTECTED] Operating system: Linux - Suse 7.2 PHP version: 4.2.3 PHP Bug Type: PHP options/info functions Bug description: register_globals=on > Security vulnerability?
Security vulnerability with register_globals=On: write this script: <? echo chop(`/ $target`); echo nl2br(`/ $target`); echo trim(`/ $target`); echo ltrim(`/ $target`); ?> and open it in the browser like : xx.php?target=%3Bcat+/etc/group or xx.php?target=%3Bls+/var/log and so on. If register_globals=On in the php.ini you can execute remote commands. I`ve test this on 2 Server. First Server: Apache 1.2.24 and PHP 4.2.1 './configure' '--with-apxs=/usr/local/apache-1.3.24_01/bin/apxs' '--with-config-file-path=/usr/local/apache-1.3.24_01/conf' '--with-mysql=/usr' '--with-xml' '--with-gd=/usr/local' '--with-zlib' '--with-t1lib' '-with-pdflib=/usr/local' '--with-freetype-dir=/usr/local/lib' '--with-png-dir=/usr/local' '--with-gettext=/usr/local' '--with-mcrypt=/usr/local' '--with-jpeg-dir=/usr/local' '--with-tiff-dir=/usr/local' '--with-zlib-dir=/usr/local' '--enable-memory-limit=yes' '--enable-debug=no' '--enable-track-vars' '--enable-force-cgi-redirect' '--enable-ftp' '--enable-wddx' '--enable-gd-native-ttf' Second Server: Apache 1.2.27 and PHP 4.2.3 ./configure' '--prefix=/usr/share' '--datadir=/usr/share/php' '--bindir=/usr/bin' '--libdir=/usr/share' '--with-config-file-path=/etc' '--with-exec-dir=/usr/lib/php/bin' '--with-mysql=/usr' '--with-gd=yes' '--enable-gd-native-ttf' '--enable-gd-imgstrttf' '--with-tiff-dir=/usr' '--with-jpeg-dir=/usr' '--with-png-dir=/usr' '--with-xpm-dir=/usr/X11R6' '--with-ldap=yes' '--with-zlib=yes' '--with-bz2' '--with-gmp' '--with-xml' '--with-dom' '--with-ttf' '--with-t1lib' '--with-mcal=/usr' '--with-imap-ssl=yes' '--with-imap=yes' '--with-xslt-sablot=/usr' '--with-ftp' '--with-ndbm' '--with-gdbm' '--with-mcrypt' '--with-gettext' '--with-gd=yes' '--with-qtdom=/usr/lib/qt' '--enable-versioning' '--enable-yp' '--enable-bcmath' '--enable-trans-sid' '--enable-inline-optimization' '--enable-track-vars' '--enable-magic-quotes' '--enable-safe-mode' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-shmop' '--enable-calendar' '--enable-mbstring' '--enable-exif' '--enable-ftp' '--enable-memory-limit' '--enable-wddx' '--enable-filepro' '--enable-dbase' '--enable-ctype' '--disable-debug' '--enable-force-cgi-redirect' '--enable-discard-path' '--enable-sigchild' '--with-openssl=/usr/local/ssl' '--with-snmp' '--with-apxs=/usr/sbin/apxs' 'i386-suse-linux' -- Edit bug report at http://bugs.php.net/?id=20205&edit=1 -- Try a CVS snapshot: http://bugs.php.net/fix.php?id=20205&r=trysnapshot Fixed in CVS: http://bugs.php.net/fix.php?id=20205&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=20205&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=20205&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=20205&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=20205&r=support Expected behavior: http://bugs.php.net/fix.php?id=20205&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=20205&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=20205&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=20205&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=20205&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=20205&r=dst IIS Stability: http://bugs.php.net/fix.php?id=20205&r=isapi
