|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31440 [PATCH] GLOBALS array overwritten from GET/POST/COOKIE vars
Submitted: 2005-01-07 13:36 UTC Modified: 2005-02-17 05:47 UTC
Avg. Score:5.0 ± 0.0
Reproduced:7 of 7 (100.0%)
Same Version:7 (100.0%)
Same OS:5 (71.4%)
From: john at jelsoft dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 4CVS, 5CVS (2005-02-15) OS: *
Private report: No CVE-ID:
 [2005-01-07 13:36 UTC] john at jelsoft dot com
register_globals on 
it is possible to overwrite the $GLOBALS array from GET/POST/COOKIE vars.

For example, try the script below:

(will print the full GLOBALS array)

(will print a GLOBALS array with just one entry)

_GET, _POST, etc superglobals are no vulnerable.
PHP5 does not exhibit this behaviour.

Reproduce code:
<a href="script.php?GLOBALS[php]=error">kill GLOBALS</a>


print_r( $GLOBALS );


Expected result:
Full display of GLOBALS array

Actual result:
GLOBALS array with just one entry


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-02-15 12:48 UTC]
Here are some patches I wrote to fix this:

For PHP_4_3 branch:
For HEAD branch:

 [2005-02-15 12:49 UTC]
note: In HEAD you _can_ overwrite GLOBALS with this:


but NOT with this:

 [2005-02-17 05:28 UTC]
Here's better patch, by Ilia:

 [2005-02-17 05:47 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Mon Nov 30 22:01:38 2015 UTC