php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #31440 [PATCH] GLOBALS array overwritten from GET/POST/COOKIE vars
Submitted: 2005-01-07 13:36 UTC Modified: 2005-02-17 05:47 UTC
Votes:7
Avg. Score:5.0 ± 0.0
Reproduced:7 of 7 (100.0%)
Same Version:7 (100.0%)
Same OS:5 (71.4%)
From: john at jelsoft dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 4CVS, 5CVS (2005-02-15) OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: john at jelsoft dot com
New email:
PHP Version: OS:

 

 [2005-01-07 13:36 UTC] john at jelsoft dot com 
Description:
------------
With 
register_globals on 
it is possible to overwrite the $GLOBALS array from GET/POST/COOKIE vars.

For example, try the script below:

script.php
(will print the full GLOBALS array)

script.php?GLOBALS[php]=error
(will print a GLOBALS array with just one entry)

_GET, _POST, etc superglobals are no vulnerable.
PHP5 does not exhibit this behaviour.


Reproduce code:
---------------
<a href="script.php?GLOBALS[php]=error">kill GLOBALS</a>

<pre>
<?php

print_r( $GLOBALS );

?>
</pre>


Expected result:
----------------
Full display of GLOBALS array

Actual result:
--------------
GLOBALS array with just one entry

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-02-15 12:48 UTC] sniper@php.net 
Here are some patches I wrote to fix this:

For PHP_4_3 branch: 
  http://www.php.net/~jani/patches/bug31440.php_4_3_patch
 
For HEAD branch:
  http://www.php.net/~jani/patches/bug31440.php_HEAD_patch
 [2005-02-15 12:49 UTC] sniper@php.net 
note: In HEAD you _can_ overwrite GLOBALS with this:

script.php?GLOBALS=error

but NOT with this:

script.php?GLOBALS[php]=error
 [2005-02-17 05:28 UTC] sniper@php.net 
Here's better patch, by Ilia:

  http://www.php.net/~jani/patches/bug31440.patch
 [2005-02-17 05:47 UTC] iliaa@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Nov 23 08:01:28 2024 UTC