Sat, 24 Mar 2007


When register_globals is activated the deserialization of the session data can overwrite any global variable, including the _SESSION array. Because of its special implementation this can result in arbitrary code execution.

Affected versions

Affected are PHP 4 < 4.4.5 and PHP 5 < 5.2.1

Detailed information

The summary says it all. For further clarification test the exploit.

Proof of concept, exploit or instructions to reproduce

The attached proof of concept code uses the substr_compare() information leak vulnerability to determine the offset to the shellcode and to a writeable address containing a NULL pointer. It then uses the described vulnerability to overwrite the _SESSION array with a fake Hashtable and trigger code execution.


Under normal situations this vulnerability can only be exploited locally. However it might be possible for a remote attacker to use an application vulnerability to inject a session data file onto the server. Many applications already contained holes like this.

Through this vulnerability it is possible to execute arbitrary code on servers running such applications. The Suhosin Extension will protect you from this kind of attack in the default config, because session data is encrypted on the server and cannot be easily modified.