CVE-2011-0752 in PHP
Summary
by MITRE
The extract function in PHP before 5.2.15 does not prevent use of the EXTR_OVERWRITE parameter to overwrite (1) the GLOBALS superglobal array and (2) the this variable, which allows context-dependent attackers to bypass intended access restrictions by modifying data structures that were not intended to depend on external input, a related issue to CVE-2005-2691 and CVE-2006-3758.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/13/2021
The vulnerability described in CVE-2011-0752 represents a critical security flaw in PHP's extract function implementation prior to version 5.2.15. This issue stems from the function's improper handling of the EXTR_OVERWRITE parameter, which allows attackers to manipulate internal PHP data structures in ways that were not intended by the developers. The vulnerability specifically affects the GLOBALS superglobal array and the this variable, both of which serve fundamental roles in PHP's execution environment and object-oriented programming model.
The technical flaw manifests when the extract function processes variables with the EXTR_OVERWRITE flag, enabling unauthorized modification of critical runtime data structures. When attackers can overwrite the GLOBALS array, they gain the ability to modify the global namespace, potentially accessing or altering variables that should remain protected from external influence. Similarly, the ability to overwrite the this variable in object contexts allows attackers to manipulate object state and potentially execute arbitrary code or bypass access controls that depend on proper object instantiation and scope management.
This vulnerability creates a significant operational impact by enabling context-dependent attacks that can bypass intended access restrictions within PHP applications. The flaw is particularly dangerous because it operates at a fundamental level of the PHP runtime, affecting how variables are processed and managed. Attackers can leverage this weakness to modify data structures that were explicitly designed to be independent of external input, effectively undermining the security boundaries that developers rely on for protecting sensitive application state. The vulnerability's relationship to CVE-2005-2691 and CVE-2006-3758 indicates a recurring pattern in PHP's variable handling mechanisms that has persisted across multiple versions.
The security implications extend beyond simple variable overwrites, as this vulnerability can enable attackers to manipulate PHP's execution environment in ways that may lead to privilege escalation or code execution. The CWE (Common Weakness Enumeration) classification for this issue aligns with weakness categories related to improper handling of variable names and security misconfigurations in scripting languages. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and code injection, as attackers can manipulate the runtime environment to execute unintended operations. Organizations should implement immediate mitigation strategies including upgrading to PHP 5.2.15 or later versions, reviewing application code for unsafe use of the extract function, and implementing proper input validation to prevent exploitation of this class of vulnerability.