register_globals is often turned on to support legacy code and CVE-2005-3390 makes code which by the documentation should be safe not so.
Consider: > ; You should do your best to write your scripts so that they do not require > ; register_globals to be on; Using form variables as globals can easily lead > ; to possible security problems, if the code is not very well thought of. >From the Debian-shipped php.ini, certainly does not warn that register_globals itself is a security problem, but rather that poorly written scripts are. > but keep in mind that the directive itself isn't insecure but rather it's the > misuse of it. >From <http://www.php.net/register_globals>. The page also notes that reliance on the directive "was quite common and many people didn't even know it existed and assumed it's just how PHP works." It then goes on to explain how register_globals is unsafe --- examples which show the well-known register_globals problem, not the CVE-2005-3390 one. Further, one of the examples (29-3) could even be subverted by this bug! Also, considering the number of Debian installations which probably have register_globals turned on, and how that makes (as already pointed out in this bug) anything using PEAR extremely vulnerable, I really think this ought to be fixed in stable ASAP. CVSS rates this as an 8 (high). testing-security rates this as medium. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
