ID: 31440 User updated by: john at jelsoft dot com Reported By: john at jelsoft dot com Status: Open Bug Type: Scripting Engine problem Operating System: All PHP Version: 4.3.10 New Comment:
phpinfo was requested: From [EMAIL PROTECTED] [2005-01-11 02:56:35] (a message which was deleted): "What Web server? Tell us more about your configuration as well." Please just say that you don't want phpinfo rather than randomly deleting messages and confusing us all. Now how about this bug...it's been nearly 2 weeks for a pretty serious bug IMHO... Previous Comments: ------------------------------------------------------------------------ [2005-01-20 19:02:35] [EMAIL PROTECTED] Please don't add the phpinfo() output if not asked for. ------------------------------------------------------------------------ [2005-01-19 00:53:31] [EMAIL PROTECTED] Works fine with latest CVS. ------------------------------------------------------------------------ [2005-01-18 19:50:36] john at jelsoft dot com I have just downloaded the latest snapshot and the bug remains. Build date from my phpinfo() is Jan 18 2005 14:14:51. ------------------------------------------------------------------------ [2005-01-07 23:07:45] john at jelsoft dot com Just to clarify why this is a very serious issue: any scripts using the $GLOBALS array to clear all global variables set when registerglobals is on (in order to simulate registerglobals being off) will run into major problems. So: foreach( $GLOBALS as $key => $val ) { unset( $$key ); } if ( $_GET['expression'] ) { $output = "hello"; } echo $output; Will fail to unset all the global variables and so $output could have bad values injected into it. It should be impossible to inject data into $output, but this bug allows it to happen. ------------------------------------------------------------------------ [2005-01-07 13:36:49] john at jelsoft dot com Description: ------------ With register_globals on it is possible to overwrite the $GLOBALS array from GET/POST/COOKIE vars. For example, try the script below: script.php (will print the full GLOBALS array) script.php?GLOBALS[php]=error (will print a GLOBALS array with just one entry) _GET, _POST, etc superglobals are no vulnerable. PHP5 does not exhibit this behaviour. Reproduce code: --------------- <a href="script.php?GLOBALS[php]=error">kill GLOBALS</a> <pre> <?php print_r( $GLOBALS ); ?> </pre> Expected result: ---------------- Full display of GLOBALS array Actual result: -------------- GLOBALS array with just one entry ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=31440&edit=1