The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to disable the register_globals directive via inputs that cause a request to be terminated due to the memory_limit setting, which causes PHP to set an internal flag that enables register_globals and allows attackers to exploit vulnerabilities in PHP applications that would otherwise be protected. http://www.hardened-php.net/advisory_192005.78.html This issue also affects RHEL2.1 and RHEL3
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-831.html
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-838.html
About php-4.1.2-2.3(RHEL2.1), the following sample script ends by segfault when register_globals = On. http://jp.php.net/manual/en/print/function.parse-str.php Example 1. Using parse_str() -------- <?php $str = "first=value&arr[]=foo+bar&arr[]=baz"; parse_str($str); echo $first; // value echo $arr[0]; // foo bar echo $arr[1]; // baz parse_str($str, $output); echo $output['first']; // value echo $output['arr'][0]; // foo bar echo $output['arr'][1]; // baz ?> -------- I think that php-4.1.2-CVE-2005-3389.patch should be corrected as follows. --- php-4.1.2/ext/standard/string.c.orig 2005-11-28 17:04:54.000000000 +0900 +++ php-4.1.2/ext/standard/string.c 2005-11-28 17:08:52.000000000 +0900 @@ -3108,8 +3108,10 @@ old_rg = PG(register_globals); if(argCount == 1) { - PG(register_globals) = 1; - php_treat_data(PARSE_STRING, res, NULL TSRMLS_CC); + zval tmp; + PG(register_globals) = 0; + Z_ARRVAL(tmp) = EG(active_symbol_table); + php_treat_data(PARSE_STRING, res, &tmp TSRMLS_CC); } else { PG(register_globals) = 0; /* Clear out the array that was passed in. */ Thank you.
The change part of "register_globals" variable is deleted by the original php-4.1.2-CVE-2005-3389.patch, both "if(PG(register_globals))" and "if(track_vars_array)" becomes effective in main/php_variables.c::php_register_variable_ex(). I think it is necessary to set up "register_globals" appropriately or to change php_register_variable_ex().