#31440 [Opn]: GLOBALS array overwritten from GET/POST/COOKIE vars

Thu, 20 Jan 2005 11:55:32 -0800 

 ID:               31440
 User updated by:  john at jelsoft dot com
 Reported By:      john at jelsoft dot com
 Status:           Open
 Bug Type:         Scripting Engine problem
 Operating System: All
 PHP Version:      4.3.10
 New Comment:

phpinfo was requested: From [EMAIL PROTECTED] [2005-01-11 02:56:35] (a
message which was deleted):
"What Web server? Tell us more about your configuration as well."

Please just say that you don't want phpinfo rather than randomly
deleting messages and confusing us all.

Now how about this bug...it's been nearly 2 weeks for a pretty serious
bug IMHO...


Previous Comments:
------------------------------------------------------------------------

[2005-01-20 19:02:35] [EMAIL PROTECTED]

Please don't add the phpinfo() output if not asked for.


------------------------------------------------------------------------

[2005-01-19 00:53:31] [EMAIL PROTECTED]

Works fine with latest CVS.

------------------------------------------------------------------------

[2005-01-18 19:50:36] john at jelsoft dot com

I have just downloaded the latest snapshot and the bug remains. Build
date from my phpinfo() is Jan 18 2005 14:14:51.

------------------------------------------------------------------------

[2005-01-07 23:07:45] john at jelsoft dot com

Just to clarify why this is a very serious issue: any scripts using the
$GLOBALS array to clear all global variables set when registerglobals is
on (in order to simulate registerglobals being off) will run into major
problems. So:

foreach( $GLOBALS as $key => $val ) {
  unset( $$key );
}

if ( $_GET['expression'] ) {
  $output = "hello";
}
echo $output;

Will fail to unset all the global variables and so $output could have
bad values injected into it. It should be impossible to inject data
into $output, but this bug allows it to happen.

------------------------------------------------------------------------

[2005-01-07 13:36:49] john at jelsoft dot com

Description:
------------
With 
register_globals on 
it is possible to overwrite the $GLOBALS array from GET/POST/COOKIE
vars.

For example, try the script below:

script.php
(will print the full GLOBALS array)

script.php?GLOBALS[php]=error
(will print a GLOBALS array with just one entry)

_GET, _POST, etc superglobals are no vulnerable.
PHP5 does not exhibit this behaviour.


Reproduce code:
---------------
<a href="script.php?GLOBALS[php]=error">kill GLOBALS</a>

<pre>
<?php

print_r( $GLOBALS );

?>
</pre>


Expected result:
----------------
Full display of GLOBALS array

Actual result:
--------------
GLOBALS array with just one entry


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=31440&edit=1

Reply via email to