Description
The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the register_globals directive via inputs that cause a request to be terminated due to the memory_limit setting, which causes PHP to set an internal flag that enables register_globals and allows attackers to exploit vulnerabilities in PHP applications that would otherwise be protected.
Remediation
References
Related Vulnerabilities
SharePoint Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-2816)
concrete5 Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2017-8082)
WordPress Plugin WP TripAdvisor Review Slider SQL Injection (10.7)
WordPress Cookie Data PHP Code Injection Vulnerability (1.5 - 1.5.1.3)
IBM WebSEAL Insufficiently Protected Credentials Vulnerability (CVE-2021-20439)