How to demonstrate an exploit of extract($_POST)?

[Phara0h]

I am not a PHP developer but I'm assessing the security of a PHP5 application.The author relied on \[code\]extract($_POST)\[/code\] and \[code\]extract($_GET)\[/code\] in some places, outside of functions.My suggestion is to call \[code\]extract($_POST, EXTR_PREFIX_ALL, 'form')\[/code\] and change the code accordingly, but his stance is that any variable is being redefined inside subsequent includes anyway.I can easily change the superglobals by providing, for instance, \[code\]_ENV=something\[/code\] inside the post values, but superglobals are arrays and I'm turning them into strings, I'm not sure it can have evil effects.I could have a look at the several \[code\]isset()\[/code\] uses and go backwards from there.. but I imagine there are attacks of this kind that don't require knowledge or divination of the source.Is there some interesting variable to be set/changed, maybe in the innards of PHP?Thanks