lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <15C86308-367B-4B74-AF6F-BB110253D202@mac.com>
Date: Wed, 13 Jun 2007 10:23:43 -0700
From: Chuck Swiger <cswiger@....com>
To: Steven M.Christey <coley@...re.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: PHP parse_str() arbitrary variable overwrite

On Jun 12, 2007, at 4:53 PM, Steven M. Christey wrote:
> Nice find, although it's not really clear to me whether this is
> intended functionality or not.  I assume it's not intended by
> Hardened-PHP and Suhosin, at least :)

Agreed-- using parse_str() against the query passed in is going to  
let one overwrite arbitrary local variables in the PHP script just by  
crafting the arguments in the URL appropriately.

It seems to impossible to use the single-argument variant of parse_str 
() against QUERY_STRING safely.  One ought to always use the two- 
argument form of parse_str() and put the variables into an array, and  
then selectively pull them out of that into variables in the local  
context while doing any necessary sanity checking of their values at  
the same time.

> You didn't mention this, but even if register_globals is disabled,
> this seems to work, at least in my PHP 4.4.4.

I get the same results as you've described below using both:

   Apache/2.0.59 (FreeBSD) DAV/2 PHP/4.4.7 with Suhosin-Patch

...and:

   Apache/2.2.4 (Darwin) PHP/5.2.3

...so this behavior seems to be intended by design.

> Try the code below with:
>
>   ?var=new
>
>   --> generates an error (display_errors=1) that var2 is undefined
>
>   ?var2=new
>
>   --> prints "var2 = new"

-- 
-Chuck

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ