Vulnerable Systems:
* PHP version 4.3.10 and prior
* PHP version 5.0.5 and prior
* PHP version 5.1.1
* PHP version 5.1.2
By using a global variable in PHP attackers can overwrite the content with it's own as following:
Proof of Concept: foorbar.php: < ? echo $foobar; ? >
On address bar do the following:
http://[address]/foobar.php?GLOBALS[foobar]=hello
If the poc prints out HELLO your PHP version is vulnerable.
Please note that the PHP globals must be on in order to be vulnerable.
Workaround:
Register global off will fix. This PHP code will mitigate this bug.
// put this code before everything
if (isset($HTTP_POST_VARS['GLOBALS']) || isset($_POST['GLOBALS']) ||
isset($HTTP_POST_FILES['GLOBALS']) || isset($_FILES['GLOBALS']) ||
isset($HTTP_GET_VARS['GLOBALS']) || isset($_GET['GLOBALS']) ||
isset($HTTP_COOKIE_VARS['GLOBALS']) || isset($_COOKIE['GLOBALS'])) {
trigger_error('Is this a GLOBAL GPC hacking attemp?', E_USER_ERROR);
}
Disclosure Timeline:
20060119 Bug discovered
20060119 Internal release
20060125 Initial release (only on ush.it)
20060127 Initial release (only on sikurezza.org)
20060128 Public release