Re: PHP parse_str() arbitrary variable overwrite

看板Bugtraq作者coley.時間18年前 (2007/06/13 21:30)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串3/5 (看更多)

Nice find, although it's not really clear to me whether this is intended functionality or not. I assume it's not intended by Hardened-PHP and Suhosin, at least :) You didn't mention this, but even if register_globals is disabled, this seems to work, at least in my PHP 4.4.4. Try the code below with: ?var=new --> generates an error (display_errors=1) that var2 is undefined ?var2=new --> prints "var2 = new" <?php $var = 'init'; # parse_str($_SERVER['QUERY_STRING']); # print "var = $var<p>\n"; # new print "var2 = $var2<p>\n"; # new ?> - Steve

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 coley. 的文章

文章代碼(AID): #16R_6100 (Bugtraq)