• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

PHP Parse_Str Register_Globals Activation Weakness

PHP is prone to a weakness that allows attackers to reenable the 'register_globals' directive. This issue is due to the application's failure to handle a memory-limit exception.

The 'register_globals' directive will remain enabled for the rest of the lifetime of the affected process. If PHP is being run as an Apache module, then the process handling the malicious request will have 'register_globals' enabled for the duration of the process's life. If PHP is being run as a CGI process, this issue is not likely exploitable.

By exploiting this issue, remote attackers may be able to enable 'register_globals'. This may allow attackers to further exploit latent vulnerabilities in PHP scripts.