php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #20205 register_globals=on > Security vulnerability?
Submitted: 2002-10-31 15:52 UTC Modified: 2002-10-31 16:14 UTC
From: postfach74 at yahoo dot de Assigned:
Status: Not a bug Package: PHP options/info functions
PHP Version: 4.2.3 OS: Linux - Suse 7.2
Private report: No CVE-ID: None
 [2002-10-31 15:52 UTC] postfach74 at yahoo dot de
Security vulnerability with register_globals=On:

write this script:

<?
echo chop(`/ $target`);
echo nl2br(`/ $target`); 
echo trim(`/ $target`); 
echo ltrim(`/ $target`);
?>


and open it in the browser like :

xx.php?target=%3Bcat+/etc/group

or

xx.php?target=%3Bls+/var/log

and so on.

If register_globals=On in the php.ini you can execute remote commands.
I`ve test this on 2 Server.

First Server:

Apache 1.2.24 and PHP 4.2.1 

'./configure' '--with-apxs=/usr/local/apache-1.3.24_01/bin/apxs' '--with-config-file-path=/usr/local/apache-1.3.24_01/conf' '--with-mysql=/usr' '--with-xml' '--with-gd=/usr/local' '--with-zlib' '--with-t1lib' '-with-pdflib=/usr/local' '--with-freetype-dir=/usr/local/lib' '--with-png-dir=/usr/local' '--with-gettext=/usr/local' '--with-mcrypt=/usr/local' '--with-jpeg-dir=/usr/local' '--with-tiff-dir=/usr/local' '--with-zlib-dir=/usr/local' '--enable-memory-limit=yes' '--enable-debug=no' '--enable-track-vars' '--enable-force-cgi-redirect' '--enable-ftp' '--enable-wddx' '--enable-gd-native-ttf'

Second Server:

Apache 1.2.27 and PHP 4.2.3
./configure' '--prefix=/usr/share' '--datadir=/usr/share/php' '--bindir=/usr/bin' '--libdir=/usr/share' '--with-config-file-path=/etc' '--with-exec-dir=/usr/lib/php/bin' '--with-mysql=/usr' '--with-gd=yes' '--enable-gd-native-ttf' '--enable-gd-imgstrttf' '--with-tiff-dir=/usr' '--with-jpeg-dir=/usr' '--with-png-dir=/usr' '--with-xpm-dir=/usr/X11R6' '--with-ldap=yes' '--with-zlib=yes' '--with-bz2' '--with-gmp' '--with-xml' '--with-dom' '--with-ttf' '--with-t1lib' '--with-mcal=/usr' '--with-imap-ssl=yes' '--with-imap=yes' '--with-xslt-sablot=/usr' '--with-ftp' '--with-ndbm' '--with-gdbm' '--with-mcrypt' '--with-gettext' '--with-gd=yes' '--with-qtdom=/usr/lib/qt' '--enable-versioning' '--enable-yp' '--enable-bcmath' '--enable-trans-sid' '--enable-inline-optimization' '--enable-track-vars' '--enable-magic-quotes' '--enable-safe-mode' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-shmop' '--enable-calendar' '--enable-mbstring' '--enable-exif' '--enable-ftp' '--enable-memory-limit' '--enable-wddx' '--enable-filepro' '--enable-dbase' '--enable-ctype' '--disable-debug' '--enable-force-cgi-redirect' '--enable-discard-path' '--enable-sigchild' '--with-openssl=/usr/local/ssl' '--with-snmp' '--with-apxs=/usr/sbin/apxs' 'i386-suse-linux'
 

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-10-31 16:14 UTC] iliaa@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PHP.

Input validation is your friend.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 22:01:28 2024 UTC