Description
The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 sets the internal register_globals flag and does not disable it in certain cases when a script terminates, which allows remote attackers to invoke available PHP scripts with register_globals functionality that is not detectable by these scripts, as demonstrated by forcing a memory_limit violation.
Remediation
References
Related Vulnerabilities
WordPress 3.9.x Multiple Vulnerabilities (3.9 - 3.9.34)
Oracle Application Server Other Vulnerability (CVE-2002-0659)
Oracle Database Server CVE-2010-2419 Vulnerability (CVE-2010-2419)
MySQL CVE-2015-0405 Vulnerability (CVE-2015-0405)
Plupload Cross-site Scripting (XSS) Vulnerability (CVE-2016-4566)