Re: PHP import_request_variables() arbitrary variable overwrite

["Steven M. Christey" <coley () mitre org>]

Stefano Di Paola said:

> 1. I search on google for import_request_variables advisories
> (nothing found)
> 2. I search on php.net in changeLog for fixes (nothing found).

I can see why you weren't able to find anything.  However, there have
been a number of disclosures that are probably related - but these
were grep-and-gripe affairs in third party applications, where the
researcher didn't necessarily investigate *why* certain attacks
worked.

Grepping for superglobal names through CVE suggests the following PHP
application issues might be related to this behavior, although in some
cases it could just be some extract() or dynamic variable evaluation
or other method for overwriting critical variables:

CVE-2007-1024 - _SERVER[DOCUMENT_ROOT]
CVE-2006-4673 - _SERVER[REMOTE_ADDR]  (might be extract)
CVE-2006-4545 - _SERVER[DOCUMENT_ROOT]
CVE-2006-3798 - _SERVER, _ENV, _COOKIE (extract)
CVE-2006-1914 - GLOBALS, _SERVER
CVE-2005-4318 - _SERVER[REMOTE_ADDR]
CVE-2005-4317 - _SERVER[REMOTE_ADDR]
CVE-2005-3926 - _SERVER[REMOTE_ADDR]
CVE-2005-2574 -  _SERVER[REMOTE_ADDR] (extract)
CVE-2005-1996 - _SERVER[DOCUMENT_ROOT]
CVE-2005-3300 - _FILES
CVE-2007-0599 - SERVER
CVE-2006-5796 - _SESSION[docroot_path]
CVE-2006-5078 - _SESSION[dirMain]
CVE-2006-2828 - import_request_variables(), but not for superglobals

etc.


- Steve

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/