From chris@Shenton.Org  Thu Jul 25 05:45:33 2002
Return-Path: <chris@Shenton.Org>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 54CFA37B405
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 25 Jul 2002 05:45:33 -0700 (PDT)
Received: from Thanatos.Shenton.Org (a3.ebbed1.client.atlantech.net [209.190.235.163])
	by mx1.FreeBSD.org (Postfix) with SMTP id 56BB443E6A
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 25 Jul 2002 05:45:32 -0700 (PDT)
	(envelope-from chris@Shenton.Org)
Received: (qmail 9693 invoked by uid 1000); 25 Jul 2002 12:45:31 -0000
Message-Id: <20020725124531.9692.qmail@Thanatos.Shenton.Org>
Date: 25 Jul 2002 12:45:31 -0000
From: Chris Shenton <chris@Shenton.Org>
Reply-To: Chris Shenton <chris@Shenton.Org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: mod_php security fix breaks PHP 4.2.2: variables not passed
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         40979
>Category:       ports
>Synopsis:       mod_php security fix breaks PHP 4.2.2: variables not passed
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    dirk
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 25 05:50:01 PDT 2002
>Closed-Date:    Wed Jul 31 14:14:22 PDT 2002
>Last-Modified:  Wed Jul 31 14:14:22 PDT 2002
>Originator:     Chris Shenton
>Release:        FreeBSD 4.6-STABLE i386
>Organization:
>Environment:
System: FreeBSD thanatos.shenton.org 4.6-STABLE FreeBSD 4.6-STABLE #12: Wed Jul 3 11:08:15 EDT 2002 chris@thanatos.shenton.org:/usr/obj/usr/src/sys/Thanatos i386


	
>Description:
	
PHP passes variable from a form via HTTP GET (in URL) or POST
variables (in HTTP body).  The PHP form processor never sees those
variables. 

This broke when I upgraded to the security fix for mod_php 4.2.2.


>How-To-Repeat:

A simple form, form.html:

<form action="form-vars.php">
<input name="var1" value="ThisIsVar1">
<input name="var2" value="ThisIsVar2">
<input type="submit">
</form>

A simple form processor, form-vars.php

<?php
echo "<BR>argc=$argc argv0=$argv[0] argv1=$argv[1] argv2=$argv[2]";
echo "<BR>var1=$var1 var2=$var2";
echo "<HR>";
phpinfo();
?>

Point web browser at form, hit SUBMIT, see output:

argc= argv0= argv1= argv2=
var1= var2=

It doesn't even have a count for variables.

>Fix:

Unknown.


>Release-Note:
>Audit-Trail:

From: Alexandr Kovalenko <never@nevermind.kiev.ua>
To: Chris Shenton <chris@Shenton.Org>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: ports/40979: mod_php security fix breaks PHP 4.2.2: variables not passed
Date: Thu, 25 Jul 2002 16:00:23 +0300

 Hello, Chris Shenton!
 
 On Thu, Jul 25, 2002 at 12:45:31PM -0000, you wrote:
 
 > >Number:         40979
 > >Category:       ports
 > >Synopsis:       mod_php security fix breaks PHP 4.2.2: variables not passed
 > >Environment:
 > System: FreeBSD thanatos.shenton.org 4.6-STABLE FreeBSD 4.6-STABLE #12: Wed Jul 3 11:08:15 EDT 2002 chris@thanatos.shenton.org:/usr/obj/usr/src/sys/Thanatos i386
 > >Description:
 > PHP passes variable from a form via HTTP GET (in URL) or POST
 > variables (in HTTP body).  The PHP form processor never sees those
 > variables. 
 > 
 > This broke when I upgraded to the security fix for mod_php 4.2.2.
 Pilot error! (c)
 
 Check your /usr/local/etc/php.ini file. 
 There should be at least:
 register_globals = On
 register_argc_argv = On
 
 -- 
 NEVE-RIPE
 Ukrainian FreeBSD User Group
 http://uafug.org.ua/

From: Chris Shenton <chris@shenton.org>
To: Alexandr Kovalenko <never@nevermind.kiev.ua>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: ports/40979: mod_php security fix breaks PHP 4.2.2: variables not passed
Date: 25 Jul 2002 09:07:00 -0400

 Alexandr Kovalenko <never@nevermind.kiev.ua> writes:
 
 > Pilot error! (c)
 > 
 > Check your /usr/local/etc/php.ini file. 
 > There should be at least:
 > register_globals = On
 > register_argc_argv = On
 
 Doh! Yes, changing register_globals from default Off to On fixed this.
 
 I had a php.ini-dist and no php.ini, so it sounds like the defaults
 have changed between php versions.
 
 Does enabling this put me at risk from the recent security hole? 
 
 Thanks for the fast response!
Responsible-Changed-From-To: freebsd-ports->dirk 
Responsible-Changed-By: pat 
Responsible-Changed-When: Thu Jul 25 16:59:24 PDT 2002 
Responsible-Changed-Why:  
Over to maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=40979 
State-Changed-From-To: open->closed 
State-Changed-By: dirk 
State-Changed-When: Wed Jul 31 14:13:24 PDT 2002 
State-Changed-Why:  
It's not a bug, it's a feature. 

The default for register_globals changed from on to off for 
security reasons. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=40979 
>Unformatted:
