BugTraq
Re: PHP parse_str() arbitrary variable overwrite Jun 12 2007 11:53PM
Steven M. Christey (coley mitre org) (1 replies)
Re: PHP parse_str() arbitrary variable overwrite Jun 13 2007 05:23PM
Chuck Swiger (cswiger mac com)
On Jun 12, 2007, at 4:53 PM, Steven M. Christey wrote:
> Nice find, although it's not really clear to me whether this is
> intended functionality or not. I assume it's not intended by
> Hardened-PHP and Suhosin, at least :)

Agreed-- using parse_str() against the query passed in is going to
let one overwrite arbitrary local variables in the PHP script just by
crafting the arguments in the URL appropriately.

It seems to impossible to use the single-argument variant of parse_str
() against QUERY_STRING safely. One ought to always use the two-
argument form of parse_str() and put the variables into an array, and
then selectively pull them out of that into variables in the local
context while doing any necessary sanity checking of their values at
the same time.

> You didn't mention this, but even if register_globals is disabled,
> this seems to work, at least in my PHP 4.4.4.

I get the same results as you've described below using both:

Apache/2.0.59 (FreeBSD) DAV/2 PHP/4.4.7 with Suhosin-Patch

...and:

Apache/2.2.4 (Darwin) PHP/5.2.3

...so this behavior seems to be intended by design.

> Try the code below with:
>
> ?var=new
>
> --> generates an error (display_errors=1) that var2 is undefined
>
> ?var2=new
>
> --> prints "var2 = new"

--
-Chuck

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus