Vulnerability Note VU#847803

Php variables passed from the browser are stored in global context

Original Release date: 18 Oct 2001 | Last revised: 22 Oct 2001


Php is a dynamic scripting language used by programmers to develop webservers, message boards, chat applications and a variety of programs. By default php stores variables passed from the URL in a global context. Programmers often fail to change this setting which can allow serious vulnerabilities to surface. Often intruders can exploit the vulnerabilities created by this failure to gain administrative rights to the application or server, manipulate data, and execute arbitrary php code.


Some applications written in php fail to follow proper programming practices. Global variables are used to store sensitive data, and can subsequently be altered by an intruder to gain access to the system. Often programmers use global variables to store account names, passwords and permission settings. An intruder can easily use crafted URLs to change the values in these global variables and compromise the system as demonstrated by VU#314347. Another example that can lead to a more severe impact is the manipulation of php variables related to source code locations. Assume that there is a file not directly accessed by the browser, but is included by the server from somewhere else called includefile.php. It may be included by the file function.php that contains the line


If the global variable $includedir is not set in each document that contains the include statement to be executed, then we can overwrite $includedir with a crafted URL like

When the script is executed on the php interpreter will fetch the file and execute it. This file can contain php code that downloads binaries, executes code, or starts a shell (e.g. "xterm -display")...). This source will be executed with the same privileges as the running webserver..


Intruders can exploit these vulnerabilities to gain administrative rights to the application or server, manipulate data, and execute arbitrary php code.


Disable global variables from the URL/client. Best programming practices are to not use global variables if at all possible. Do not permit the execution of code that does not originate from the webserver. If you need to use global variables, set variables_order = "egcps" in php.ini and set the value of every global variable in every file that the global variable is used.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Grant HorwoodAffected15 Oct 200115 Oct 2001
John LimAffected-16 Oct 2001
Marc LogemannAffected15 Oct 200117 Oct 2001
Miro Construct Pty. Ltd.Affected15 Oct 200116 Oct 2001
ZorbatAffected15 Oct 200122 Oct 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Our thanks to atil <> and genetics <> for the information contained in their posting to BugTraq.

This document was written by Jason Rafail.

Other Information

  • CVE IDs: Unknown
  • Date Public: 25 Jul 2001
  • Date First Published: 18 Oct 2001
  • Date Last Updated: 22 Oct 2001
  • Severity Metric: 17.53
  • Document Revision: 32


If you have feedback, comments, or additional information about this vulnerability, please send us email.