Description
The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 sets the internal register_globals flag and does not disable it in certain cases when a script terminates, which allows remote attackers to invoke available PHP scripts with register_globals functionality that is not detectable by these scripts, as demonstrated by forcing a memory_limit violation.
Remediation
References
Related Vulnerabilities
WordPress Plugin Hostel Cross-Site Scripting (1.1.3)
Oracle Application Server CVE-2008-1824 Vulnerability (CVE-2008-1824)
MediaWiki Improper Input Validation Vulnerability (CVE-2020-35477)
MySQL CVE-2021-35623 Vulnerability (CVE-2021-35623)
WordPress Plugin Appointments Unspecified Vulnerability (2.2.2.1)