N/A

The import_request_variables function in PHP 4.0.7 through 4.4.6, and 5.x before 5.2.2, when called without a prefix, does not prevent the (1) GET, (2) POST, (3) COOKIE, (4) FILES, (5) SERVER, (6) SESSION, and other superglobals from being overwritten, which allows remote attackers to spoof source IP address and Referer data, and have other unspecified impact. NOTE: it could be argued that this is a design limitation of PHP and that only the misuse of this feature, i.e. implementation bugs in applications, should be included in CVE. However, it has been fixed by the vendor.

N/A

N/A

PHP import_request_variables()函数任意变量覆盖漏洞

PHP是广泛使用的通用目的脚本语言，特别适合于Web开发，可嵌入到HTML中。 PHP的import_request_variables()函数实现上存在漏洞，远程攻击者可能利用此漏洞控制服务器。 远程攻击者可以利用PHP的import_request_variables()函数覆盖$_*和$*变量(任意php变量)，导致执行任意代码。有漏洞代码位于以下文件中： ./ext/standard/basic_functions.c:PHP_FUNCTION(import_request_variables)

N/A

N/A