[php-maint] Bug#336645: php4: not only dependent on register_globals

Steve Langasek vorlon at debian.org
Fri Nov 18 07:15:05 UTC 2005 

On Thu, Nov 17, 2005 at 07:38:18PM -0500, Antoine Beaupre wrote:
> Package: php4
> Version: 4:4.3.10-16
> Followup-For: Bug #336645

> http://www.hardened-php.net/index.76.html

> This page explains why the so-called 'globals overwrite' bug matters,
> even regardless of the register_globals setting. To put it briefly, the
> $GLOBALS array can be accessed directly by other functions that assume
> a propar initialization that might have been destroyed by the overwrite.

> Not sure that is clear enough, read the page above if not.

I've read that page; the issue is that I don't see any description of a
method of *causing* a $GLOBALS overwrite that doesn't fall into the category
of "stupid variable handling".  AFAICT, this error only occurs when a PHP
application takes arbitrary variable names from an untrusted source, either
by register_globals or by manually reimplementing register_globals-like
behavior.  I can understand that it's desirable to update PHP so that such
stupid variable handling can't be exploited, but it looks to me like the
fundamental bug is in the PHP applications that are doing stupid things with
variables -- *not* with the PHP engine itself.

So, to my eye, this doesn't seem to be a bug that warrants a stable security
update; but I've cc:ed the Security Team for comment.  If Debian is actually
shipping applications which can be exploited in this manner, then doing one
security update for PHP may be better than doing one for each affected app.

Anyway, if you can point me to any evidence that this is exploitable in a
default config by means that don't rely on bad PHP coding practices, by all
means I would push the Security Team to include an update.  Or if the
Security Team themselves feel an update is warranted, I'm more than happy to
prepare one at their request regardless.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20051117/491dd582/attachment.pgp

More information about the pkg-php-maint mailing list