#31440 [Opn]: GLOBALS array overwritten from GET/POST/COOKIE vars

Thu, 20 Jan 2005 10:02:50 -0800 

 ID:               31440
 Updated by:       [EMAIL PROTECTED]
 Reported By:      john at jelsoft dot com
 Status:           Open
 Bug Type:         Scripting Engine problem
 Operating System: All
 PHP Version:      4.3.10
 New Comment:

Please don't add the phpinfo() output if not asked for.



Previous Comments:
------------------------------------------------------------------------

[2005-01-19 00:53:31] [EMAIL PROTECTED]

Works fine with latest CVS.

------------------------------------------------------------------------

[2005-01-18 19:50:36] john at jelsoft dot com

I have just downloaded the latest snapshot and the bug remains. Build
date from my phpinfo() is Jan 18 2005 14:14:51.

------------------------------------------------------------------------

[2005-01-07 23:07:45] john at jelsoft dot com

Just to clarify why this is a very serious issue: any scripts using the
$GLOBALS array to clear all global variables set when registerglobals is
on (in order to simulate registerglobals being off) will run into major
problems. So:

foreach( $GLOBALS as $key => $val ) {
  unset( $$key );
}

if ( $_GET['expression'] ) {
  $output = "hello";
}
echo $output;

Will fail to unset all the global variables and so $output could have
bad values injected into it. It should be impossible to inject data
into $output, but this bug allows it to happen.

------------------------------------------------------------------------

[2005-01-07 13:36:49] john at jelsoft dot com

Description:
------------
With 
register_globals on 
it is possible to overwrite the $GLOBALS array from GET/POST/COOKIE
vars.

For example, try the script below:

script.php
(will print the full GLOBALS array)

script.php?GLOBALS[php]=error
(will print a GLOBALS array with just one entry)

_GET, _POST, etc superglobals are no vulnerable.
PHP5 does not exhibit this behaviour.


Reproduce code:
---------------
<a href="script.php?GLOBALS[php]=error">kill GLOBALS</a>

<pre>
<?php

print_r( $GLOBALS );

?>
</pre>


Expected result:
----------------
Full display of GLOBALS array

Actual result:
--------------
GLOBALS array with just one entry


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=31440&edit=1

Reply via email to