Possible security threat - globals overwrite

[counterpoint]

People have recently realised that there is a weakness in some versions of PHP that can be exploited to execute arbitrary PHP. You can find details of the problem at http://www.hardened-php.net/index.76.html and there is a good discussion about the issue at Sitepoint http://www.sitepoint.com/forums/showthread.php?t=312884. So far as we can tell, the vulnerability does not affect PHP 4.4.1 or PHP 5.0.4 or later.

The exploit will be blocked in Mambo 4.5.3 to be released later this month. If you would like to fix any version of Mambo before the release is available, then you should insert the following code in the index.php and index2.php files in the Mambo document root. The code should go just after the line of actual code, which is the DEFINE of _VALID_MOS. The code is:

PHP Code:

$protects = array('_REQUEST', '_GET', '_POST', '_COOKIE', '_FILES', '_SERVER', '_ENV', 'GLOBALS', '_SESSION');

foreach ($protects as $protect) {
    if ( in_array($protect , array_keys($_REQUEST)) ||
         in_array($protect , array_keys($_GET)) ||
         in_array($protect , array_keys($_POST)) ||
         in_array($protect , array_keys($_COOKIE)) ||
         in_array($protect , array_keys($_FILES))) {
        die("Invalid Request.");
    }
} 


This solution is probably overkill, but should block any attack of this nature.

EDIT NOTE: Sorry, there was an error when this was first posted. The array $protect should contain 'GLOBALS' as shown now, and not '_GLOBALS' as it did when first posted. My apologies for the error.

SECOND EDIT NOTE: We have struggled to get this right, partly through not having a live example of the exploit until this morning. The code above has been changed again, and has been tested against live versions of the exploit. It blocks them.

For the record, I should add some further points. The vulnerability does seem to affect ALL versions of PHP. It is not specific to Mambo and has not been totally blocked in Joomla, as can be verified in the Joomla forum. The fix given above can be applied at the entry point to any PHP application that may be vulnerable, including Joomla.

The core team has worked hard to solve this problem, and is very sympathetic to anyone who has been hacked. For those people who have been hacked, please check your site extremely carefully. Since the exploit allows the execution of arbitrary PHP code, you must assume that information may have been stolen or back doors left in your system. If in doubt, please change all critical passwords and reinstall the Mambo code.

[counterpoint]

For the benefit of people who are not very comfortable editing the Mambo files, modified versions of the index.php and index2.php files for Mambo 4.5.2.3 are attached here. You should unzip the package into the Mambo root of your web site, replacing the existing files.

All other versions should be modified using the code posted above. If you have problems or need advice, please post in the forums.