Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57869 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 97966 invoked from network); 14 Feb 2012 15:44:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Feb 2012 15:44:34 -0000 Authentication-Results: pb1.pair.com smtp.mail=kousuke@co3k.org; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=kousuke@co3k.org; sender-id=unknown Received-SPF: error (pb1.pair.com: domain co3k.org from 209.85.213.42 cause and error) X-PHP-List-Original-Sender: kousuke@co3k.org X-Host-Fingerprint: 209.85.213.42 mail-yw0-f42.google.com Received: from [209.85.213.42] ([209.85.213.42:41444] helo=mail-yw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 06/D0-26615-0618A3F4 for ; Tue, 14 Feb 2012 10:44:33 -0500 Received: by yhfq11 with SMTP id q11so71069yhf.29 for ; Tue, 14 Feb 2012 07:44:30 -0800 (PST) Received: by 10.50.213.41 with SMTP id np9mr35408892igc.21.1329234269651; Tue, 14 Feb 2012 07:44:29 -0800 (PST) Received: from ebichiri.local (y084028.dynamic.ppp.asahi-net.or.jp. [118.243.84.28]) by mx.google.com with ESMTPS id wn7sm20074846igc.0.2012.02.14.07.44.26 (version=SSLv3 cipher=OTHER); Tue, 14 Feb 2012 07:44:28 -0800 (PST) Message-ID: <4F3A8158.2050206@co3k.org> Date: Wed, 15 Feb 2012 00:44:24 +0900 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a2) Gecko/20120126 Thunderbird/11.0a2 MIME-Version: 1.0 To: =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= CC: internals@lists.php.net, ondrej@php.net References: <4F3A5B70.3020707@co3k.org> In-Reply-To: X-Enigmail-Version: 1.4a1pre Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Gm-Message-State: ALoCoQkHWpJ0169uABDQc0KrRzPS9WBAPxENYHeSJkc7657cZX5Dqnth6VSKAY0tTRxkgLhrR+v1 Subject: Re: About CVE-2012-0831 (magic_quotes_gpc remote disable vulnerability?) From: kousuke@co3k.org (Kousuke Ebihara) (12/02/14 23:03), Ondřej Surý wrote: > That's some noise on the wire... This fix was never part of PHP > 5.3.10 and I think all security team just copied this information from > CVE. (Now I at least know where they got it.) > > And you really need to pull the patch from > https://bugs.php.net/bug.php?id=61043 before you push out 5.3.11. Thanks, it becomes clear. I understand that ... 1. In PHP 5.3.10 and before, magic_quotes_gpc is disabled even if it is enabled in php.ini. 2. If my PHP scripts don't depend on magic quote feature, in this case, I don't need to apply the patch. Are these correct? BTW, According to NVD (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0831), > CVSS v2 Base Score:7.5 (HIGH) > Access Vector: Network exploitable > Access Complexity: Low > Authentication: Not required to exploit > Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service > SQL Injection (CWE-89) But I think it is totally mistakes. I think it is evaluated as "SQL Injection attack vulnerability in *PHP*", but it is not correct. magic_quotes_gpc is just a fail-safe (but of course it is tattered) and a script which depends on magic_quotes_gpc is intrinsically vulnerable. -- Kousuke Ebihara http://co3k.org/