ID: 31440
User updated by: john at jelsoft dot com
Reported By: john at jelsoft dot com
-Status: Feedback
+Status: Open
Bug Type: Scripting Engine problem
Operating System: All
PHP Version: 4.3.10
New Comment:
I have tested it on Apache 2/Linux (RH9 I think) and on IIS/WinXP.
phpinfo for WinXP is below:
PHP Logo
PHP Version 4.3.10
System Windows NT NEWPC 5.1 build 2600
Build Date Dec 14 2004 17:46:48
Server API CGI/FastCGI
Virtual Directory Support enabled
Configuration File (php.ini) Path C:\WINDOWS\php.ini
PHP API 20020918
PHP Extension 20020429
Zend Extension 20021010
Debug Build no
Thread Safety enabled
Registered PHP Streams php, http, ftp, compress.zlib
Zend logo This program makes use of the Zend Scripting Language
Engine:
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
PHP Credits
Configuration
PHP Core
Directive Local Value Master Value
allow_call_time_pass_reference On On
allow_url_fopen On On
always_populate_raw_post_data Off Off
arg_separator.input & &
arg_separator.output & &
asp_tags Off Off
auto_append_file no value no value
auto_prepend_file no value no value
browscap no value no value
default_charset no value no value
default_mimetype text/html text/html
define_syslog_variables Off Off
disable_classes no value no value
disable_functions no value no value
display_errors On On
display_startup_errors Off Off
doc_root no value no value
docref_ext no value no value
docref_root no value no value
enable_dl On On
error_append_string no value no value
error_log no value no value
error_prepend_string no value no value
error_reporting 2047 2047
expose_php On On
extension_dir ./ ./
file_uploads On On
gpc_order GPC GPC
highlight.bg #FFFFFF #FFFFFF
highlight.comment #FF8000 #FF8000
highlight.default #0000BB #0000BB
highlight.html #000000 #000000
highlight.keyword #007700 #007700
highlight.string #DD0000 #DD0000
html_errors On On
ignore_repeated_errors Off Off
ignore_repeated_source Off Off
ignore_user_abort Off Off
implicit_flush Off Off
include_path .;c:\php4\pear .;c:\php4\pear
log_errors Off Off
log_errors_max_len 1024 1024
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
max_execution_time 30 30
max_input_time 60 60
open_basedir no value no value
output_buffering no value no value
output_handler no value no value
post_max_size 8M 8M
precision 12 12
register_argc_argv On On
register_globals On On
report_memleaks On On
safe_mode Off Off
safe_mode_exec_dir no value no value
safe_mode_gid Off Off
safe_mode_include_dir no value no value
sendmail_from [EMAIL PROTECTED] [EMAIL PROTECTED]
sendmail_path no value no value
serialize_precision 100 100
short_open_tag On On
SMTP mail.jelsoft.com mail.jelsoft.com
smtp_port 25 25
sql.safe_mode Off Off
track_errors Off Off
unserialize_callback_func no value no value
upload_max_filesize 2M 2M
upload_tmp_dir C:\Program Files\PHP\uploadtemp C:\Program
Files\PHP\uploadtemp
user_dir no value no value
variables_order EGPCS EGPCS
xmlrpc_error_number 0 0
xmlrpc_errors Off Off
y2k_compliance On On
bcmath
BCMath support enabled
calendar
Calendar support enabled
com
Directive Local Value Master Value
com.allow_dcom Off Off
com.autoregister_casesensitive On On
com.autoregister_typelib Off Off
com.autoregister_verbose Off Off
com.typelib_file no value no value
ctype
ctype functions enabled
ftp
FTP support enabled
mysql
MySQL Support enabled
Active Persistent Links 0
Active Links 0
Client API version 3.23.49
Directive Local Value Master Value
mysql.allow_persistent On On
mysql.connect_timeout 60 60
mysql.default_host no value no value
mysql.default_password no value no value
mysql.default_port no value no value
mysql.default_socket no value no value
mysql.default_user no value no value
mysql.max_links Unlimited Unlimited
mysql.max_persistent Unlimited Unlimited
mysql.trace_mode Off Off
odbc
ODBC Support enabled
Active Persistent Links 0
Active Links 0
ODBC library Win32
Directive Local Value Master Value
odbc.allow_persistent On On
odbc.check_persistent On On
odbc.default_db no value no value
odbc.default_pw no value no value
odbc.default_user no value no value
odbc.defaultbinmode return as is return as is
odbc.defaultlrl return up to 4096 bytes return up to 4096 bytes
odbc.max_links Unlimited Unlimited
odbc.max_persistent Unlimited Unlimited
overload
User-Space Object Overloading Support enabled
pcre
PCRE (Perl Compatible Regular Expressions) Support enabled
PCRE Library Version 4.5 01-December-2003
session
Session Support enabled
Registered save handlers files user
Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path C:\Program Files\PHP\sessiondata C:\Program
Files\PHP\sessiondata
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid Off Off
standard
Regex Library Bundled library enabled
Dynamic Library Support enabled
Internal Sendmail Support for Windows enabled
Directive Local Value Master Value
assert.active 1 1
assert.bail 0 0
assert.callback no value no value
assert.quiet_eval 0 0
assert.warning 1 1
auto_detect_line_endings 0 0
default_socket_timeout 60 60
safe_mode_allowed_env_vars PHP_ PHP_
safe_mode_protected_env_vars LD_LIBRARY_PATH LD_LIBRARY_PATH
url_rewriter.tags a=href,area=href,frame=src,input=src,form=,fieldset=
a=href,area=href,frame=src,input=src,form=,fieldset=
user_agent no value no value
tokenizer
Tokenizer Support enabled
wddx
WDDX Support enabled
WDDX Session Serializer enabled
xml
XML Support active
XML Namespace Support active
EXPAT Version 1.95.6
zlib
ZLib Support enabled
Compiled Version 1.1.4
Linked Version 1.1.4
Directive Local Value Master Value
zlib.output_compression Off Off
zlib.output_compression_level -1 -1
zlib.output_handler no value no value
Additional Modules
Module Name
Environment
Variable Value
ALLUSERSPROFILE C:\Documents and Settings\All Users
CommonProgramFiles C:\Program Files\Common Files
COMPUTERNAME NEWPC
ComSpec C:\WINDOWS\system32\cmd.exe
CONTENT_LENGTH 0
FP_NO_HOST_CHECK NO
GATEWAY_INTERFACE CGI/1.1
HTTP_ACCEPT
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
HTTP_ACCEPT_LANGUAGE en-gb,en;q=0.5
HTTP_CONNECTION keep-alive
HTTP_HOST localhost
HTTP_USER_AGENT Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB;
rv:1.7.5) Gecko/20041110 Firefox/1.0
HTTP_ACCEPT_ENCODING gzip,deflate
HTTP_ACCEPT_CHARSET ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_KEEP_ALIVE 300
HTTPS off
INSTANCE_ID 1
LOCAL_ADDR 127.0.0.1
NUMBER_OF_PROCESSORS 2
OS Windows_NT
Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATH_INFO /phpinfo.php
PATH_TRANSLATED c:\inetpub\wwwroot\phpinfo.php
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE x86
PROCESSOR_IDENTIFIER x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL 15
PROCESSOR_REVISION 0304
ProgramFiles C:\Program Files
REMOTE_ADDR 127.0.0.1
REMOTE_HOST 127.0.0.1
REQUEST_METHOD GET
SCRIPT_NAME /phpinfo.php
SERVER_NAME localhost
SERVER_PORT 80
SERVER_PORT_SECURE 0
SERVER_PROTOCOL HTTP/1.1
SERVER_SOFTWARE Microsoft-IIS/5.1
SystemDrive C:
SystemRoot C:\WINDOWS
TEMP C:\WINDOWS\TEMP
TMP C:\WINDOWS\TEMP
USERPROFILE C:\Documents and Settings\LocalService
windir C:\WINDOWS
PHP Variables
Variable Value
PHP_SELF /phpinfo.php
_SERVER["ALLUSERSPROFILE"] C:\\Documents and Settings\\All Users
_SERVER["CommonProgramFiles"] C:\\Program Files\\Common Files
_SERVER["COMPUTERNAME"] NEWPC
_SERVER["ComSpec"] C:\\WINDOWS\\system32\\cmd.exe
_SERVER["CONTENT_LENGTH"] 0
_SERVER["FP_NO_HOST_CHECK"] NO
_SERVER["GATEWAY_INTERFACE"] CGI/1.1
_SERVER["HTTP_ACCEPT"]
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
_SERVER["HTTP_ACCEPT_LANGUAGE"] en-gb,en;q=0.5
_SERVER["HTTP_CONNECTION"] keep-alive
_SERVER["HTTP_HOST"] localhost
_SERVER["HTTP_USER_AGENT"] Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-GB; rv:1.7.5) Gecko/20041110 Firefox/1.0
_SERVER["HTTP_ACCEPT_ENCODING"] gzip,deflate
_SERVER["HTTP_ACCEPT_CHARSET"] ISO-8859-1,utf-8;q=0.7,*;q=0.7
_SERVER["HTTP_KEEP_ALIVE"] 300
_SERVER["HTTPS"] off
_SERVER["INSTANCE_ID"] 1
_SERVER["LOCAL_ADDR"] 127.0.0.1
_SERVER["NUMBER_OF_PROCESSORS"] 2
_SERVER["OS"] Windows_NT
_SERVER["Path"] C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem
_SERVER["PATH_INFO"] /phpinfo.php
_SERVER["PATH_TRANSLATED"] c:\\inetpub\\wwwroot\\phpinfo.php
_SERVER["PATHEXT"] .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
_SERVER["PROCESSOR_ARCHITECTURE"] x86
_SERVER["PROCESSOR_IDENTIFIER"] x86 Family 15 Model 3 Stepping 4,
GenuineIntel
_SERVER["PROCESSOR_LEVEL"] 15
_SERVER["PROCESSOR_REVISION"] 0304
_SERVER["ProgramFiles"] C:\\Program Files
_SERVER["REMOTE_ADDR"] 127.0.0.1
_SERVER["REMOTE_HOST"] 127.0.0.1
_SERVER["REQUEST_METHOD"] GET
_SERVER["SCRIPT_NAME"] /phpinfo.php
_SERVER["SERVER_NAME"] localhost
_SERVER["SERVER_PORT"] 80
_SERVER["SERVER_PORT_SECURE"] 0
_SERVER["SERVER_PROTOCOL"] HTTP/1.1
_SERVER["SERVER_SOFTWARE"] Microsoft-IIS/5.1
_SERVER["SystemDrive"] C:
_SERVER["SystemRoot"] C:\\WINDOWS
_SERVER["TEMP"] C:\\WINDOWS\\TEMP
_SERVER["TMP"] C:\\WINDOWS\\TEMP
_SERVER["USERPROFILE"] C:\\Documents and Settings\\LocalService
_SERVER["windir"] C:\\WINDOWS
_SERVER["PHP_SELF"] /phpinfo.php
_SERVER["argv"]
Array
(
)
_SERVER["argc"] 0
_ENV["ALLUSERSPROFILE"] C:\\Documents and Settings\\All Users
_ENV["CommonProgramFiles"] C:\\Program Files\\Common Files
_ENV["COMPUTERNAME"] NEWPC
_ENV["ComSpec"] C:\\WINDOWS\\system32\\cmd.exe
_ENV["CONTENT_LENGTH"] 0
_ENV["FP_NO_HOST_CHECK"] NO
_ENV["GATEWAY_INTERFACE"] CGI/1.1
_ENV["HTTP_ACCEPT"]
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
_ENV["HTTP_ACCEPT_LANGUAGE"] en-gb,en;q=0.5
_ENV["HTTP_CONNECTION"] keep-alive
_ENV["HTTP_HOST"] localhost
_ENV["HTTP_USER_AGENT"] Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB;
rv:1.7.5) Gecko/20041110 Firefox/1.0
_ENV["HTTP_ACCEPT_ENCODING"] gzip,deflate
_ENV["HTTP_ACCEPT_CHARSET"] ISO-8859-1,utf-8;q=0.7,*;q=0.7
_ENV["HTTP_KEEP_ALIVE"] 300
_ENV["HTTPS"] off
_ENV["INSTANCE_ID"] 1
_ENV["LOCAL_ADDR"] 127.0.0.1
_ENV["NUMBER_OF_PROCESSORS"] 2
_ENV["OS"] Windows_NT
_ENV["Path"] C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem
_ENV["PATH_INFO"] /phpinfo.php
_ENV["PATH_TRANSLATED"] c:\\inetpub\\wwwroot\\phpinfo.php
_ENV["PATHEXT"] .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
_ENV["PROCESSOR_ARCHITECTURE"] x86
_ENV["PROCESSOR_IDENTIFIER"] x86 Family 15 Model 3 Stepping 4,
GenuineIntel
_ENV["PROCESSOR_LEVEL"] 15
_ENV["PROCESSOR_REVISION"] 0304
_ENV["ProgramFiles"] C:\\Program Files
_ENV["REMOTE_ADDR"] 127.0.0.1
_ENV["REMOTE_HOST"] 127.0.0.1
_ENV["REQUEST_METHOD"] GET
_ENV["SCRIPT_NAME"] /phpinfo.php
_ENV["SERVER_NAME"] localhost
_ENV["SERVER_PORT"] 80
_ENV["SERVER_PORT_SECURE"] 0
_ENV["SERVER_PROTOCOL"] HTTP/1.1
_ENV["SERVER_SOFTWARE"] Microsoft-IIS/5.1
_ENV["SystemDrive"] C:
_ENV["SystemRoot"] C:\\WINDOWS
_ENV["TEMP"] C:\\WINDOWS\\TEMP
_ENV["TMP"] C:\\WINDOWS\\TEMP
_ENV["USERPROFILE"] C:\\Documents and Settings\\LocalService
_ENV["windir"] C:\\WINDOWS
PHP License
This program is free software; you can redistribute it and/or modify it
under the terms of the PHP License as published by the PHP Group and
included in the distribution in the file: LICENSE
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
If you did not receive a copy of the PHP license, or have any questions
about PHP licensing, please contact [EMAIL PROTECTED]
Previous Comments:
------------------------------------------------------------------------
[2005-01-11 02:56:35] [EMAIL PROTECTED]
Wow, lot of reproduce votes.
What Web server? Tell us more about your configuration as well.
------------------------------------------------------------------------
[2005-01-07 23:07:45] john at jelsoft dot com
Just to clarify why this is a very serious issue: any scripts using the
$GLOBALS array to clear all global variables set when registerglobals is
on (in order to simulate registerglobals being off) will run into major
problems. So:
foreach( $GLOBALS as $key => $val ) {
unset( $$key );
}
if ( $_GET['expression'] ) {
$output = "hello";
}
echo $output;
Will fail to unset all the global variables and so $output could have
bad values injected into it. It should be impossible to inject data
into $output, but this bug allows it to happen.
------------------------------------------------------------------------
[2005-01-07 13:36:49] john at jelsoft dot com
Description:
------------
With
register_globals on
it is possible to overwrite the $GLOBALS array from GET/POST/COOKIE
vars.
For example, try the script below:
script.php
(will print the full GLOBALS array)
script.php?GLOBALS[php]=error
(will print a GLOBALS array with just one entry)
_GET, _POST, etc superglobals are no vulnerable.
PHP5 does not exhibit this behaviour.
Reproduce code:
---------------
<a href="script.php?GLOBALS[php]=error">kill GLOBALS</a>
<pre>
<?php
print_r( $GLOBALS );
?>
</pre>
Expected result:
----------------
Full display of GLOBALS array
Actual result:
--------------
GLOBALS array with just one entry
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=31440&edit=1
