-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
Blocker
-
Resolution: Fixed
-
Affects Version/s: 3.0.12, 3.1.1
-
Fix Version/s: 3.0.13-RC1, 3.1.2
-
Component/s: None
-
Labels:None
-
GitHub Pull Request URL:
When e.g. $_COOKIE['GLOBALS']=1 is sent, the deregister_globals() function calls unset() on $GLOBALS['GLOBALS'] destroying the $GLOBALS array.
This renders the board unusable when register_globals (which was removed in PHP 5.4.0) is set to On.
This was previously reported in https://tracker.phpbb.com/browse/SECURITY-172 but since phpBB does not rely on deregister_globals() but always defines variables on its own, this is not a security issue.