From: [EMAIL PROTECTED]
Operating system: Linux
PHP version: 4.2.3
PHP Bug Type: Variables related
Bug description: array assignment and HTTP_*_VARS
While doing a security audit on a PHP web app, I was able to bypass a
variable check wich later allowed me to remotely execute commands on the
web server. Although this was a programming error, I found it very odd the
behaviour from PHP.
Consider the following code as an example:
<?
if ( isset($HTTP_GET_VARS['test']) ||
isset($HTTP_POST_VARS['test']) ||
isset($HTTP_COOKIE_VARS['test']) ) {
echo "not allowed\r\n";
exit;
}
else echo "test not defined, proceed\r\n";
echo "<pre>";
echo "test HTTP_GET_VARS: ".$HTTP_GET_VARS['test'];
echo "\r\n";
echo "var test: $test\r\n";
echo "\r\n";
?>
Having this, and requesting the page as:
ola.php?test[=
The output will be:
test not defined in HTTP_*_VARS
test HTTP_GET_VARS:
var test: Array
So, 'test' is an array, but appears as no set in HTTP_*_VARS.
Regards,
Joao Gouveia
------------
[EMAIL PROTECTED]
--
Edit bug report at http://bugs.php.net/?id=21149&edit=1
--
Try a CVS snapshot: http://bugs.php.net/fix.php?id=21149&r=trysnapshot
Fixed in CVS: http://bugs.php.net/fix.php?id=21149&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=21149&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=21149&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=21149&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=21149&r=support
Expected behavior: http://bugs.php.net/fix.php?id=21149&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=21149&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=21149&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=21149&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=21149&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=21149&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=21149&r=isapi
