Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-13376

deregister_globals() does not work correctly when $_COOKIE['GLOBALS'] is specified

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Blocker
    • Resolution: Fixed
    • 3.0.12, 3.1.1
    • 3.0.13-RC1, 3.1.2
    • None
    • None

    Description

      When e.g. $_COOKIE['GLOBALS']=1 is sent, the deregister_globals() function calls unset() on $GLOBALS['GLOBALS'] destroying the $GLOBALS array.

      This renders the board unusable when register_globals (which was removed in PHP 5.4.0) is set to On.

      This was previously reported in https://tracker.phpbb.com/browse/SECURITY-172 but since phpBB does not rely on deregister_globals() but always defines variables on its own, this is not a security issue.

      Attachments

        Activity

          People

            naderman Nils Adermann
            bantu Andreas Fischer
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: