Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57866
Return-Path: <ondrej@sury.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 88029 invoked from network); 14 Feb 2012 14:04:22 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Feb 2012 14:04:22 -0000
Authentication-Results: pb1.pair.com smtp.mail=ondrej@sury.org; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=ondrej@sury.org; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sury.org designates 209.85.220.170 as permitted sender)
X-PHP-List-Original-Sender: ondrej@sury.org
X-Host-Fingerprint: 209.85.220.170 mail-vx0-f170.google.com  
Received: from [209.85.220.170] ([209.85.220.170:65470] helo=mail-vx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 44/23-06943-5E96A3F4 for <internals@lists.php.net>; Tue, 14 Feb 2012 09:04:22 -0500
Received: by vcbfk13 with SMTP id fk13so4660223vcb.29
        for <internals@lists.php.net>; Tue, 14 Feb 2012 06:04:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sury.org; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-type:content-transfer-encoding;
        bh=Vm8zZLcjy/Y8r+0mlOZnAC8gg9Q0O8CiRG0JUrHAaaI=;
        b=YYnTiDeskxDWUQhzVBiMvSpFXBrVqzerPVCmNYCnCMaXALK74kfduLFiga/M+Aj2Hf
         MF7U1MYC4T86L/9mTbNmYWCx3VdMQMhxwINwliomt889a0q/MwzMygG/PUhPXeHLU4OJ
         PSNO2yMceB1JTXvAHR8/PaqQ3JAbXPviU8myA=
Received: by 10.52.172.196 with SMTP id be4mr8485612vdc.80.1329228258381; Tue,
 14 Feb 2012 06:04:18 -0800 (PST)
MIME-Version: 1.0
Received: by 10.220.7.16 with HTTP; Tue, 14 Feb 2012 06:03:56 -0800 (PST)
In-Reply-To: <4F3A5B70.3020707@co3k.org>
References: <4F3A5B70.3020707@co3k.org>
Date: Tue, 14 Feb 2012 15:03:56 +0100
Message-ID: <CALjhHG8RG_36Vh9oJ6mBtObfrQvR=tegYiaKqr_cqJpRWDGK-g@mail.gmail.com>
To: Kousuke Ebihara <kousuke@co3k.org>
Cc: internals@lists.php.net, ondrej@php.net
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQl8Q6KBYP3GiD1I788kIr8vxCt4wouwWrjksax/y1olfnCmRqqifXy6vVvte+o1XkdjyN3W
Subject: Re: About CVE-2012-0831 (magic_quotes_gpc remote disable vulnerability?)
From: ondrej@sury.org (=?UTF-8?B?T25kxZllaiBTdXLDvQ==?=)

2012/2/14 Kousuke Ebihara <kousuke@co3k.org>:
> Hi,
>
> I've noticed the following CVE:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2012-0831
>
>> PHP before 5.3.10 does not properly perform a temporary change to the ma=
gic_quotes_gpc directive during the importing of environment variables, whi=
ch makes it easier for remote attackers to conduct SQL injection attacks vi=
a a crafted request, related to main/php_variables.c, sapi/cgi/cgi_main.c, =
and sapi/fpm/fpm/fpm_main.c.

That's some noise on the wire...  This fix was never part of PHP
5.3.10 and I think all security team just copied this information from
CVE. (Now I at least know where they got it.)

And you really need to pull the patch from
https://bugs.php.net/bug.php?id=3D61043 before you push out 5.3.11.

O.
--=20
=EF=BB=BFOnd=C5=99ej Sur=C3=BD <ondrej@sury.org>