2012/2/14 Kousuke Ebihara <kous...@co3k.org> > Hi, > > I've noticed the following CVE: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0831 > > > PHP before 5.3.10 does not properly perform a temporary change to the > magic_quotes_gpc directive during the importing of environment variables, > which makes it easier for remote attackers to conduct SQL injection attacks > via a crafted request, related to main/php_variables.c, > sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c. > > and changelog of Ubuntu php5 pacakge: > > https://launchpad.net/ubuntu/+source/php5/5.3.2-1ubuntu4.13 > > > * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability > > - debian/patches/php5-CVE-2012-0831.patch: always restore > > magic_quote_gpc on request shutdown > > - CVE-2012-0831 > > and read https://bugs.php.net/bug.php?id=61043. > > But I can't understand this. > > PHP before 5.3.10? But I can't see any changes related this CVE from > http://svn.php.net/viewvc/php/php-src/tags/php_5_3_10/?view=log > > And I've tried the test of > https://bugs.launchpad.net/ubuntu/+source/php5/+bug/930115, but I can't > reproduced (report string(1) "1" if "magic_quotes_gpc" is "On"). Something > was wrong? > > Even if the https://bugs.launchpad.net/ubuntu/+source/php5/+bug/930115problem > is exists, but "magic_quotes_gpc remote disable vulnerability" is > strange. Can attacker change "magic_quotes_gpc" value deliberately? > > And according to CVE, "which makes it easier for remote attackers to > conduct SQL injection attacks via a crafted request". But some PHP > applications which suppose "magic_quotes_gpc=Off" are not affected, aren't > them? > > FYI, The following is my test result: > > $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.10 -c /tmp/php.ini > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(6) "5.3.10" > string(1) "1" > $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.9 -c /tmp/php.ini > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.9" > string(1) "1" > $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.8 -c /tmp/php.ini > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.8" > string(1) "1" > $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.6 -c /tmp/php.ini > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.6" > string(1) "1" > $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.5 -c /tmp/php.ini > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.5" > string(1) "1" > $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.4 -c /tmp/php.ini > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.4" > string(1) "1" > $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.3 -c /tmp/php.ini > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.3" > string(1) "1" > $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.2 -c /tmp/php.ini > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.2" > string(1) "1" > $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.1 -c /tmp/php.ini > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.1" > string(1) "1" > $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.0 -c /tmp/php.ini > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.0" > string(1) "1" > > -- > Kousuke Ebihara <kous...@co3k.org> > http://co3k.org/ > > hi.
as far as I can see the referenced fix ( http://svn.php.net/viewvc?view=revision&revision=323016) never made to the 5.3.10 release ( http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3_10/?pathrev=323032&view=log ) -- Ferenc Kovács @Tyr43l - http://tyrael.hu
