ID: 31440 Updated by: [EMAIL PROTECTED] Reported By: john at jelsoft dot com Status: Verified Bug Type: Scripting Engine problem Operating System: * PHP Version: 4CVS, 5CVS (2005-02-15) New Comment:
Here's better patch, by Ilia: http://www.php.net/~jani/patches/bug31440.patch Previous Comments: ------------------------------------------------------------------------ [2005-02-15 12:49:55] [EMAIL PROTECTED] note: In HEAD you _can_ overwrite GLOBALS with this: script.php?GLOBALS=error but NOT with this: script.php?GLOBALS[php]=error ------------------------------------------------------------------------ [2005-02-15 12:48:48] [EMAIL PROTECTED] Here are some patches I wrote to fix this: For PHP_4_3 branch: http://www.php.net/~jani/patches/bug31440.php_4_3_patch For HEAD branch: http://www.php.net/~jani/patches/bug31440.php_HEAD_patch ------------------------------------------------------------------------ [2005-01-07 13:36:49] john at jelsoft dot com Description: ------------ With register_globals on it is possible to overwrite the $GLOBALS array from GET/POST/COOKIE vars. For example, try the script below: script.php (will print the full GLOBALS array) script.php?GLOBALS[php]=error (will print a GLOBALS array with just one entry) _GET, _POST, etc superglobals are no vulnerable. PHP5 does not exhibit this behaviour. Reproduce code: --------------- <a href="script.php?GLOBALS[php]=error">kill GLOBALS</a> <pre> <?php print_r( $GLOBALS ); ?> </pre> Expected result: ---------------- Full display of GLOBALS array Actual result: -------------- GLOBALS array with just one entry ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=31440&edit=1
