Bugtraq mailing list archives

Re: PHP parse_str() arbitrary variable overwrite

From: "Steven M. Christey" <coley () mitre org>
Date: Tue, 12 Jun 2007 19:53:37 -0400 (EDT)


Nice find, although it's not really clear to me whether this is
intended functionality or not.  I assume it's not intended by
Hardened-PHP and Suhosin, at least :)

You didn't mention this, but even if register_globals is disabled,
this seems to work, at least in my PHP 4.4.4.

Try the code below with:

  ?var=new

  --> generates an error (display_errors=1) that var2 is undefined

  ?var2=new

  --> prints "var2 = new"



<?php
$var = 'init'; #
parse_str($_SERVER['QUERY_STRING']); #
print "var = $var<p>\n"; # new

print "var2 = $var2<p>\n"; # new

?>


- Steve

Current thread:

PHP parse_str() arbitrary variable overwrite gmdarkfig (Jun 12)
- <Possible follow-ups>
- Re: PHP parse_str() arbitrary variable overwrite admin (Jun 12)
- Re: PHP parse_str() arbitrary variable overwrite Steven M. Christey (Jun 13)
  - Re: PHP parse_str() arbitrary variable overwrite Chuck Swiger (Jun 13)
- Re: Re: PHP parse_str() arbitrary variable overwrite gmdarkfig (Jun 13)