Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: PHP import_request_variables() arbitrary variable overwrite
From: "Steven M. Christey" <coley () mitre org>
Date: Mon, 12 Mar 2007 18:25:48 -0400 (EDT)

Stefano Di Paola said:

1. I search on google for import_request_variables advisories
(nothing found)
2. I search on php.net in changeLog for fixes (nothing found).

I can see why you weren't able to find anything.  However, there have
been a number of disclosures that are probably related - but these
were grep-and-gripe affairs in third party applications, where the
researcher didn't necessarily investigate *why* certain attacks

Grepping for superglobal names through CVE suggests the following PHP
application issues might be related to this behavior, although in some
cases it could just be some extract() or dynamic variable evaluation
or other method for overwriting critical variables:

CVE-2006-4673 - _SERVER[REMOTE_ADDR]  (might be extract)
CVE-2006-3798 - _SERVER, _ENV, _COOKIE (extract)
CVE-2006-1914 - GLOBALS, _SERVER
CVE-2005-2574 -  _SERVER[REMOTE_ADDR] (extract)
CVE-2005-3300 - _FILES
CVE-2007-0599 - SERVER
CVE-2006-5796 - _SESSION[docroot_path]
CVE-2006-5078 - _SESSION[dirMain]
CVE-2006-2828 - import_request_variables(), but not for superglobals


- Steve

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Re: PHP import_request_variables() arbitrary variable overwrite Steven M. Christey (Mar 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]