Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57862 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 76766 invoked from network); 14 Feb 2012 13:02:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Feb 2012 13:02:50 -0000 Authentication-Results: pb1.pair.com smtp.mail=kousuke@co3k.org; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=kousuke@co3k.org; sender-id=unknown Received-SPF: error (pb1.pair.com: domain co3k.org from 209.85.210.170 cause and error) X-PHP-List-Original-Sender: kousuke@co3k.org X-Host-Fingerprint: 209.85.210.170 mail-iy0-f170.google.com Received: from [209.85.210.170] ([209.85.210.170:42408] helo=mail-iy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 62/D0-06943-77B5A3F4 for ; Tue, 14 Feb 2012 08:02:49 -0500 Received: by iakk32 with SMTP id k32so10923600iak.29 for ; Tue, 14 Feb 2012 05:02:44 -0800 (PST) Received: by 10.43.53.1 with SMTP id vo1mr32426472icb.2.1329224564730; Tue, 14 Feb 2012 05:02:44 -0800 (PST) Received: from ebiten.local (203.143.101.162.static.zoot.jp. [203.143.101.162]) by mx.google.com with ESMTPS id b6sm1778672igj.7.2012.02.14.05.02.42 (version=SSLv3 cipher=OTHER); Tue, 14 Feb 2012 05:02:44 -0800 (PST) Message-ID: <4F3A5B70.3020707@co3k.org> Date: Tue, 14 Feb 2012 22:02:40 +0900 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a2) Gecko/20120126 Thunderbird/11.0a2 MIME-Version: 1.0 To: internals@lists.php.net CC: ondrej@php.net X-Enigmail-Version: 1.4a1pre Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQkRxRQA0+tgwrUgJeK/Pf2Cyn9h8mri/lEvFZjq7klIigXjXb3H8dKbCfarv8oupEteV1JK Subject: About CVE-2012-0831 (magic_quotes_gpc remote disable vulnerability?) From: kousuke@co3k.org (Kousuke Ebihara) Hi, I've noticed the following CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0831 > PHP before 5.3.10 does not properly perform a temporary change to the magic_quotes_gpc directive during the importing of environment variables, which makes it easier for remote attackers to conduct SQL injection attacks via a crafted request, related to main/php_variables.c, sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c. and changelog of Ubuntu php5 pacakge: https://launchpad.net/ubuntu/+source/php5/5.3.2-1ubuntu4.13 > * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability > - debian/patches/php5-CVE-2012-0831.patch: always restore > magic_quote_gpc on request shutdown > - CVE-2012-0831 and read https://bugs.php.net/bug.php?id=61043. But I can't understand this. PHP before 5.3.10? But I can't see any changes related this CVE from http://svn.php.net/viewvc/php/php-src/tags/php_5_3_10/?view=log And I've tried the test of https://bugs.launchpad.net/ubuntu/+source/php5/+bug/930115, but I can't reproduced (report string(1) "1" if "magic_quotes_gpc" is "On"). Something was wrong? Even if the https://bugs.launchpad.net/ubuntu/+source/php5/+bug/930115 problem is exists, but "magic_quotes_gpc remote disable vulnerability" is strange. Can attacker change "magic_quotes_gpc" value deliberately? And according to CVE, "which makes it easier for remote attackers to conduct SQL injection attacks via a crafted request". But some PHP applications which suppose "magic_quotes_gpc=Off" are not affected, aren't them? FYI, The following is my test result: $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.10 -c /tmp/php.ini -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' string(6) "5.3.10" string(1) "1" $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.9 -c /tmp/php.ini -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' string(5) "5.3.9" string(1) "1" $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.8 -c /tmp/php.ini -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' string(5) "5.3.8" string(1) "1" $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.6 -c /tmp/php.ini -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' string(5) "5.3.6" string(1) "1" $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.5 -c /tmp/php.ini -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' string(5) "5.3.5" string(1) "1" $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.4 -c /tmp/php.ini -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' string(5) "5.3.4" string(1) "1" $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.3 -c /tmp/php.ini -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' string(5) "5.3.3" string(1) "1" $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.2 -c /tmp/php.ini -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' string(5) "5.3.2" string(1) "1" $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.1 -c /tmp/php.ini -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' string(5) "5.3.1" string(1) "1" $ echo 'magic_quotes_gpc=On' > /tmp/php.ini && php-5.3.0 -c /tmp/php.ini -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' string(5) "5.3.0" string(1) "1" -- Kousuke Ebihara http://co3k.org/