php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31440 [PATCH] GLOBALS array overwritten from GET/POST/COOKIE vars
Submitted: 2005-01-07 13:36 UTC Modified: 2005-02-17 05:47 UTC
Votes:7
Avg. Score:5.0 ± 0.0
Reproduced:7 of 7 (100.0%)
Same Version:7 (100.0%)
Same OS:5 (71.4%)
From: john at jelsoft dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 4CVS, 5CVS (2005-02-15) OS: *
Private report: No CVE-ID:
 [2005-01-07 13:36 UTC] john at jelsoft dot com
Description:
------------
With 
register_globals on 
it is possible to overwrite the $GLOBALS array from GET/POST/COOKIE vars.

For example, try the script below:

script.php
(will print the full GLOBALS array)

script.php?GLOBALS[php]=error
(will print a GLOBALS array with just one entry)

_GET, _POST, etc superglobals are no vulnerable.
PHP5 does not exhibit this behaviour.


Reproduce code:
---------------
<a href="script.php?GLOBALS[php]=error">kill GLOBALS</a>

<pre>
<?php

print_r( $GLOBALS );

?>
</pre>


Expected result:
----------------
Full display of GLOBALS array

Actual result:
--------------
GLOBALS array with just one entry

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-02-15 12:48 UTC] sniper@php.net
Here are some patches I wrote to fix this:

For PHP_4_3 branch: 
  http://www.php.net/~jani/patches/bug31440.php_4_3_patch
 
For HEAD branch:
  http://www.php.net/~jani/patches/bug31440.php_HEAD_patch

 [2005-02-15 12:49 UTC] sniper@php.net
note: In HEAD you _can_ overwrite GLOBALS with this:

script.php?GLOBALS=error

but NOT with this:

script.php?GLOBALS[php]=error
 [2005-02-17 05:28 UTC] sniper@php.net
Here's better patch, by Ilia:

  http://www.php.net/~jani/patches/bug31440.patch


 [2005-02-17 05:47 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 16:02:23 2014 UTC