[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <15C86308-367B-4B74-AF6F-BB110253D202@mac.com>
Date: Wed, 13 Jun 2007 10:23:43 -0700
From: Chuck Swiger <cswiger@....com>
To: Steven M.Christey <coley@...re.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: PHP parse_str() arbitrary variable overwrite
On Jun 12, 2007, at 4:53 PM, Steven M. Christey wrote:
> Nice find, although it's not really clear to me whether this is
> intended functionality or not. I assume it's not intended by
> Hardened-PHP and Suhosin, at least :)
Agreed-- using parse_str() against the query passed in is going to
let one overwrite arbitrary local variables in the PHP script just by
crafting the arguments in the URL appropriately.
It seems to impossible to use the single-argument variant of parse_str
() against QUERY_STRING safely. One ought to always use the two-
argument form of parse_str() and put the variables into an array, and
then selectively pull them out of that into variables in the local
context while doing any necessary sanity checking of their values at
the same time.
> You didn't mention this, but even if register_globals is disabled,
> this seems to work, at least in my PHP 4.4.4.
I get the same results as you've described below using both:
Apache/2.0.59 (FreeBSD) DAV/2 PHP/4.4.7 with Suhosin-Patch
...and:
Apache/2.2.4 (Darwin) PHP/5.2.3
...so this behavior seems to be intended by design.
> Try the code below with:
>
> ?var=new
>
> --> generates an error (display_errors=1) that var2 is undefined
>
> ?var2=new
>
> --> prints "var2 = new"
--
-Chuck
Powered by blists - more mailing lists