‘PHP Globals Filtering Bypass’

Summary

Improper global parameters handling within PHP allows attackers to overwrite existing data.’

Credit:

‘The information has been provided by ascii.
The original article can be found at: http://www.ush.it/2006/01/25/php5-globals-vulnerability/


Details

Vulnerable Systems:
 * PHP version 4.3.10 and prior
 * PHP version 5.0.5 and prior
 * PHP version 5.1.1
 * PHP version 5.1.2

By using a global variable in PHP attackers can overwrite the content with it’s own as following:

Proof of Concept:
foorbar.php:
< ? echo $foobar; ? >

On address bar do the following:

http://[address]/foobar.php?GLOBALS[foobar]=hello

If the poc prints out HELLO your PHP version is vulnerable.

Please note that the PHP globals must be on in order to be vulnerable.

Workaround:
Register global off will fix. This PHP code will mitigate this bug.

// put this code before everything
if (isset($HTTP_POST_VARS[‘GLOBALS’]) || isset($_POST[‘GLOBALS’]) ||
    isset($HTTP_POST_FILES[‘GLOBALS’]) || isset($_FILES[‘GLOBALS’]) ||
    isset($HTTP_GET_VARS[‘GLOBALS’]) || isset($_GET[‘GLOBALS’]) ||
    isset($HTTP_COOKIE_VARS[‘GLOBALS’]) || isset($_COOKIE[‘GLOBALS’])) {
 trigger_error(‘Is this a GLOBAL GPC hacking attemp?’, E_USER_ERROR);
}

Disclosure Timeline:
20060119 Bug discovered
20060119 Internal release
20060125 Initial release (only on ush.it)
20060127 Initial release (only on sikurezza.org)
20060128 Public release’

Categories: UNIX