Re: PHP parse_str() arbitrary variable overwrite

[Chuck Swiger <cswiger () mac com>]

On Jun 12, 2007, at 4:53 PM, Steven M. Christey wrote:
> Nice find, although it's not really clear to me whether this is
> intended functionality or not.  I assume it's not intended by
> Hardened-PHP and Suhosin, at least :)

Agreed-- using parse_str() against the query passed in is going to  
let one overwrite arbitrary local variables in the PHP script just by  
crafting the arguments in the URL appropriately.

It seems to impossible to use the single-argument variant of parse_str 
() against QUERY_STRING safely.  One ought to always use the two- 
argument form of parse_str() and put the variables into an array, and  
then selectively pull them out of that into variables in the local  
context while doing any necessary sanity checking of their values at  
the same time.

> You didn't mention this, but even if register_globals is disabled,
> this seems to work, at least in my PHP 4.4.4.

I get the same results as you've described below using both:

  Apache/2.0.59 (FreeBSD) DAV/2 PHP/4.4.7 with Suhosin-Patch

...and:

  Apache/2.2.4 (Darwin) PHP/5.2.3

...so this behavior seems to be intended by design.

> Try the code below with:
>
>   ?var=new
>
>   --> generates an error (display_errors=1) that var2 is undefined
>
>   ?var2=new
>
>   --> prints "var2 = new"

--
-Chuck