Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57865 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 82036 invoked from network); 14 Feb 2012 13:35:31 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Feb 2012 13:35:31 -0000 Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.49 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.216.49 mail-qw0-f49.google.com Received: from [209.85.216.49] ([209.85.216.49:62210] helo=mail-qw0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D8/E1-06943-F136A3F4 for ; Tue, 14 Feb 2012 08:35:27 -0500 Received: by qadc14 with SMTP id c14so310744qad.8 for ; Tue, 14 Feb 2012 05:35:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=OcolsAYfPk2k8r1Jfo9l6T9wk/YwZZYPZImQ1fuUJdE=; b=f3OEj/EXQST+vOcdaeyoQWgoqvPL3eUDyOzV0nHPOn/TGJwFWe2wDx0KuEDRwaLoR8 figbo+ObVb9/5oi4TbMaNjmkDSpOeh/+nGuVTfgXIc1FWQTSyD6JoznX4KnmnwQIdYcN ZUVp6G7GVezHf4khbATCY3sTg1yJtb7vxiPRw= MIME-Version: 1.0 Received: by 10.229.107.21 with SMTP id z21mr12336448qco.89.1329226525022; Tue, 14 Feb 2012 05:35:25 -0800 (PST) Received: by 10.229.235.137 with HTTP; Tue, 14 Feb 2012 05:35:24 -0800 (PST) In-Reply-To: <4F3A5B70.3020707@co3k.org> References: <4F3A5B70.3020707@co3k.org> Date: Tue, 14 Feb 2012 14:35:24 +0100 Message-ID: To: Kousuke Ebihara Cc: internals@lists.php.net, ondrej@php.net Content-Type: multipart/alternative; boundary=002354471334d99b3f04b8ecaa6e Subject: Re: [PHP-DEV] About CVE-2012-0831 (magic_quotes_gpc remote disable vulnerability?) From: tyra3l@gmail.com (Ferenc Kovacs) --002354471334d99b3f04b8ecaa6e Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable 2012/2/14 Kousuke Ebihara > Hi, > > I've noticed the following CVE: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2012-0831 > > > PHP before 5.3.10 does not properly perform a temporary change to the > magic_quotes_gpc directive during the importing of environment variables, > which makes it easier for remote attackers to conduct SQL injection attac= ks > via a crafted request, related to main/php_variables.c, > sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c. > > and changelog of Ubuntu php5 pacakge: > > https://launchpad.net/ubuntu/+source/php5/5.3.2-1ubuntu4.13 > > > * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability > > - debian/patches/php5-CVE-2012-0831.patch: always restore > > magic_quote_gpc on request shutdown > > - CVE-2012-0831 > > and read https://bugs.php.net/bug.php?id=3D61043. > > But I can't understand this. > > PHP before 5.3.10? But I can't see any changes related this CVE from > http://svn.php.net/viewvc/php/php-src/tags/php_5_3_10/?view=3Dlog > > And I've tried the test of > https://bugs.launchpad.net/ubuntu/+source/php5/+bug/930115, but I can't > reproduced (report string(1) "1" if "magic_quotes_gpc" is "On"). Somethin= g > was wrong? > > Even if the https://bugs.launchpad.net/ubuntu/+source/php5/+bug/930115pro= blem is exists, but "magic_quotes_gpc remote disable vulnerability" is > strange. Can attacker change "magic_quotes_gpc" value deliberately? > > And according to CVE, "which makes it easier for remote attackers to > conduct SQL injection attacks via a crafted request". But some PHP > applications which suppose "magic_quotes_gpc=3DOff" are not affected, are= n't > them? > > FYI, The following is my test result: > > $ echo 'magic_quotes_gpc=3DOn' > /tmp/php.ini && php-5.3.10 -c /tmp/php.i= ni > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(6) "5.3.10" > string(1) "1" > $ echo 'magic_quotes_gpc=3DOn' > /tmp/php.ini && php-5.3.9 -c /tmp/php.in= i > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.9" > string(1) "1" > $ echo 'magic_quotes_gpc=3DOn' > /tmp/php.ini && php-5.3.8 -c /tmp/php.in= i > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.8" > string(1) "1" > $ echo 'magic_quotes_gpc=3DOn' > /tmp/php.ini && php-5.3.6 -c /tmp/php.in= i > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.6" > string(1) "1" > $ echo 'magic_quotes_gpc=3DOn' > /tmp/php.ini && php-5.3.5 -c /tmp/php.in= i > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.5" > string(1) "1" > $ echo 'magic_quotes_gpc=3DOn' > /tmp/php.ini && php-5.3.4 -c /tmp/php.in= i > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.4" > string(1) "1" > $ echo 'magic_quotes_gpc=3DOn' > /tmp/php.ini && php-5.3.3 -c /tmp/php.in= i > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.3" > string(1) "1" > $ echo 'magic_quotes_gpc=3DOn' > /tmp/php.ini && php-5.3.2 -c /tmp/php.in= i > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.2" > string(1) "1" > $ echo 'magic_quotes_gpc=3DOn' > /tmp/php.ini && php-5.3.1 -c /tmp/php.in= i > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.1" > string(1) "1" > $ echo 'magic_quotes_gpc=3DOn' > /tmp/php.ini && php-5.3.0 -c /tmp/php.in= i > -r 'var_dump(phpversion(), ini_get("magic_quotes_gpc"));' > string(5) "5.3.0" > string(1) "1" > > -- > Kousuke Ebihara > http://co3k.org/ > > hi. as far as I can see the referenced fix ( http://svn.php.net/viewvc?view=3Drevision&revision=3D323016) never made to = the 5.3.10 release ( http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3_10/?pathrev=3D323032= &view=3Dlog ) --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --002354471334d99b3f04b8ecaa6e--