PHP3 is a scripted language, that looks a lot like perl, and is parsed by the web server.
It helps in building dynamic webpages quickly and easily. Here is a snippet of code:

<script language="php">  
$phrase="Hello World";  
print $phrase;  
</script>  

This would print out "Hello World" in a browser loading the webpage.

Vulnerability:

PHP supports passing variables the CGI way, e.g. if we access a php script like this:

www.example.com/script.php3?user=pepe&pass=juan

This will make the server assign the variables (accessible from within the script) $user the value "pepe" and $pass the value "juan" before starting to parse the script.

If we define a variable within the script, it will overwrite the contents of the variable we passed as parameters to the script (e.g. in the URL). The bad thing about this is that PHP doesn't require us
to declare a variable before using it. Take a look at some code:

<script language="php">  

if($user && $password)  
  {  
  $ok=check_password($user,$password); // Returns 1 if password
matches that of the user
  }  

if($ok == 1)  
  {  
  // show private data about the user
  .....  
  }  
else  
  {  
  // Access denied
  .....  
  }  
</script>  
  

As you can see, we have three variables, $user, $password and $ok. Let's suppose that the script expects a username and a password in the $user and $password parameters to the script, e.g.:

http://www.example.com/script.php3?user=pepe&password=juan

At first thought, everything looks fine. If we take a closer look, we will see the that $ok is declared inside an if() statement.

What if the if() condition is not true (we don't pass a username or a password as a parameter to the script)? Then $ok remains undefined, we get to the second if() and, as it evaluates to false, it gets to
the "Access denied" branch.

What if we specify no password, but we pass the $ok variable as a parameter to the script?

http://www.example.com/script.php3?user=pepe&ok=1  

This will make the script show us the private info about the user, given that the password remains undefined, but $ok=1 making the second condition evaluate to true, and letting us into the user's
private info branch.

Yes, you could argue that we need to guess the variables, but take into account that there are quite a few packages that use PHP in open source (programs to check e-mail through the web, database interfaces
for news websites, etc), so its just a matter of browsing through the source of the package, tracking down the vulnerable variables and using them.

WORKAROUND:

Workaround? Define all variables that we are going to use in the script at the beginning of the program, this will avoid surprises.

Btw, PHP allows command execution from within a script. Take care if you install PHP in your webserver if it's a shared or public webserver. Same goes for SSI (server side includes). Bear in mind
that, say, a guestbook allows peole to insert HTML code, this means that this is something like allowing people to create their own webpages, so keep an eye out on that.

Cheers,

FLoW  
.  

References:  

http://www.php3.com - PHP3 Website