[php-maint] Bug#336645: Please fix this, even if it doesn't affect the default config

[Anthony DeRobertis]

register_globals is often turned on to support legacy code and
CVE-2005-3390 makes code which by the documentation should be safe not so.

Consider:

> ; You should do your best to write your scripts so that they do not require
> ; register_globals to be on;  Using form variables as globals can easily lead
> ; to possible security problems, if the code is not very well thought of.

>From the Debian-shipped php.ini, certainly does not warn that
register_globals itself is a security problem, but rather that poorly
written scripts are.


> but keep in mind that the directive itself isn't insecure but rather it's the
> misuse of it.

>From <http://www.php.net/register_globals>. The page also notes that
reliance on the directive "was quite common and many people didn't even
know it existed and assumed it's just how PHP works." It then goes on to
explain how register_globals is unsafe --- examples which show the
well-known register_globals problem, not the CVE-2005-3390 one. Further,
one of the examples (29-3) could even be subverted by this bug!

Also, considering the number of Debian installations which probably have
register_globals turned on, and how that makes (as already pointed out
in this bug) anything using PEAR extremely vulnerable, I really think
this ought to be fixed in stable ASAP.

CVSS rates this as an 8 (high).
testing-security rates this as medium.