Experimental SCAN_REGISTER_GLOBALS b0rked #9
Description
Introduced in 0.52 (see config/general.php), when SCAN_REGISTER_GLOBALS is true, rips will scan as if register_globals=on.
However, in lib/scanner.php, the code:
// register globals
else if(SCAN_REGISTER_GLOBALS && $var_token[0] === T_VARIABLE && !in_array($var_name, Sources::$V_USERINPUT) && (!$this->in_function || (in_array($var_name, $this->put_in_global_scope) && !in_array($var_name, $this->function_obj->parameters))) && empty($secured))
{
// add highlighted line to output, mark tainted vars
$var_trace = new VarDeclare('');
$parent->children[] = $var_trace;
$var_trace->value = highlightline(array(array(T_VARIABLE,$var_name,0),array(T_CONSTANT_ENCAPSED_STRING,' is not initialized and '.PHPDOC.'register_globals is enabled',0)), $var_declare->comment.$comment, 0, false, false, $tainted_vars);
$var_trace->line = 0;
$var_trace->marker = 1;
$userinput = true;
$this->addexploitparameter($mainparent, '$_GET', str_replace('$','',$var_name));
}
references undefined variables: $comment, $tainted_vars, and $var_declare.