CVE-2005-3415

An attacker can bypass the globals deregistration protection by supplying both a normal GPC variable (e.g., `foobar`) and a `GLOBALS[]` variable (e.g., `GLOBALS[foobar]`) in the same request. When phpBB's deregistration code iterates over the merged input, it encounters the key `GLOBALS` and attempts to unset `$GLOBALS` instead of `$foobar`, leaving the attacker's GPC variable `$foobar` intact as a global [ref_id=1]. This allows the attacker to control uninitialized variables in scripts such as `usercp_register.php`, `login.php`, and `search.php`, leading to XSS, SQL injection, or remote code execution via `preg_replace()` with an injected `e` modifier [ref_id=1].

The vulnerability lies in phpBB's global variable deregistration code, which uses `array_merge()` on `$HTTP_GET_VARS`, `$HTTP_POST_VARS`, `$HTTP_COOKIE_VARS`, and other superglobal arrays, then unsets each variable found in the merged result. The code is present in phpBB 2.0.17 and earlier [ref_id=1].

The advisory recommends upgrading to the new phpBB release, which the vendor published on 30 October 2005 [ref_id=1]. No patch diff is included in the bundle. The fix addresses the three bypass methods: the `GLOBALS[]` variable trick (bypass [1]), the ability to set `HTTP_SESSION_VARS` to a non-array to break `array_merge()` (bypass [2]), and the failure when `register_long_arrays` is off (bypass [3]) [ref_id=1]. Additionally, the vendor corrected the uninitialized variables in `usercp_register.php`, `login.php`, and `search.php` that could be exploited once the globals protection was bypassed [ref_id=1].