CVE-2005-3416

An attacker sends a crafted HTTP request that sets the `$HTTP_SESSION_VARS` (or `$_SESSION`) global variable to a string value instead of an array. Because `session_start()` has not been called, PHP does not manage this variable, and with `register_globals` enabled the attacker can supply it via GET, POST, or COOKIE parameters. When the deregistration code calls `array_merge()` with this non-array argument, the function fails and returns an empty array, so the subsequent loop that unsets dangerous global variables never executes. This allows the attacker to then inject arbitrary global variables (such as those used in uninitialized variables elsewhere in phpBB) to achieve XSS, SQL injection, or remote code execution [ref_id=1].

The vulnerable code is the register_globals deregistration routine in phpBB 2.0.17 and earlier. The advisory [ref_id=1] describes the logic: it calls `array_merge($HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_SERVER_VARS, $HTTP_SESSION_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES)` and then unsets each global variable that is not in the `$not_unset` array. The flaw is that when `session_start()` has not been called, `$HTTP_SESSION_VARS` is not an array and can be set to a string by an attacker via register_globals, causing `array_merge` to fail and return an empty `$input` array, which bypasses the entire deregistration.

The advisory [ref_id=1] recommends upgrading to the new phpBB release (2.0.18 or later). No patch diff is provided in the bundle. The fix would need to ensure that `$HTTP_SESSION_VARS` is always initialized as an array before the `array_merge()` call, or that the deregistration code validates that each argument to `array_merge()` is actually an array before calling it, preventing the bypass when `session_start()` has not been called.