ID: 21149
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Open
+Status: Verified
Bug Type: Variables related
-Operating System: Linux
+Operating System: All
-PHP Version: 4.2.3
+PHP Version: 4.3.0-dev/4.4.0-dev
-Assigned To:
+Assigned To: iliaa
New Comment:
Updated description.
Previous Comments:
------------------------------------------------------------------------
[2002-12-22 17:04:34] [EMAIL PROTECTED]
While doing a security audit on a PHP web app, I was able to bypass a
variable check wich later allowed me to remotely execute commands on
the web server. Although this was a programming error, I found it very
odd the behaviour from PHP.
Consider the following code as an example:
<?
if ( isset($HTTP_GET_VARS['test']) ||
isset($HTTP_POST_VARS['test']) ||
isset($HTTP_COOKIE_VARS['test']) ) {
echo "not allowed\r\n";
exit;
}
else echo "test not defined, proceed\r\n";
echo "<pre>";
echo "test HTTP_GET_VARS: ".$HTTP_GET_VARS['test'];
echo "\r\n";
echo "var test: $test\r\n";
echo "\r\n";
?>
Having this, and requesting the page as:
ola.php?test[=
The output will be:
test not defined in HTTP_*_VARS
test HTTP_GET_VARS:
var test: Array
So, 'test' is an array, but appears as no set in HTTP_*_VARS.
Regards,
Joao Gouveia
------------
[EMAIL PROTECTED]
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=21149&edit=1
