| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Jun 2007 10:23:43 -0700 From: Chuck Swiger <cswiger@....com> To: Steven M.Christey <coley@...re.org> Cc: bugtraq@...urityfocus.com Subject: Re: PHP parse_str() arbitrary variable overwrite On Jun 12, 2007, at 4:53 PM, Steven M. Christey wrote: > Nice find, although it's not really clear to me whether this is > intended functionality or not. I assume it's not intended by > Hardened-PHP and Suhosin, at least :) Agreed-- using parse_str() against the query passed in is going to let one overwrite arbitrary local variables in the PHP script just by crafting the arguments in the URL appropriately. It seems to impossible to use the single-argument variant of parse_str () against QUERY_STRING safely. One ought to always use the two- argument form of parse_str() and put the variables into an array, and then selectively pull them out of that into variables in the local context while doing any necessary sanity checking of their values at the same time. > You didn't mention this, but even if register_globals is disabled, > this seems to work, at least in my PHP 4.4.4. I get the same results as you've described below using both: Apache/2.0.59 (FreeBSD) DAV/2 PHP/4.4.7 with Suhosin-Patch ...and: Apache/2.2.4 (Darwin) PHP/5.2.3 ...so this behavior seems to be intended by design. > Try the code below with: > > ?var=new > > --> generates an error (display_errors=1) that var2 is undefined > > ?var2=new > > --> prints "var2 = new" -- -Chuck
Powered by blists - more mailing lists