Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57870 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 763 invoked from network); 14 Feb 2012 16:07:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Feb 2012 16:07:23 -0000 Authentication-Results: pb1.pair.com header.from=stefan@nopiracy.de; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=stefan@nopiracy.de; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain nopiracy.de from 81.169.146.161 cause and error) X-PHP-List-Original-Sender: stefan@nopiracy.de X-Host-Fingerprint: 81.169.146.161 mo-p00-ob.rzone.de Solaris 10 (beta) Received: from [81.169.146.161] ([81.169.146.161:10781] helo=mo-p00-ob.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D8/51-26615-9B68A3F4 for ; Tue, 14 Feb 2012 11:07:22 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1329235638; l=1552; s=domk; d=nopiracy.de; h=To:References:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From: Content-Type:Mime-Version:Subject:X-RZG-CLASS-ID:X-RZG-AUTH; bh=d1VLcTYA/fZmMLS4KWHGCOarXDU=; b=sAGrzHf4iCCHo/jFZj5XWqa4AKNuuO50JAEr1bPXxS86dx+b/866qeD5U/U5zIEyU74 PZ8udDKfzZT1llPbShr+S4NAAq5vQLyg24A4r71ilzpDzruDHjMDOHnrNd0AcUs0YGn/0 4itu7RayTXM+m2ec+taEgGKUg1OZoyawbv0= X-RZG-AUTH: :OH4FY0Wkd/plSHgwfKFIgHoVYx5SSathkA9OvI+ii+JXGfvQUzm/Ahii7iullNGyVg== X-RZG-CLASS-ID: mo00 Received: from [10.23.17.42] (cable-78-34-71-151.netcologne.de [78.34.71.151]) by smtp.strato.de (jimi mo32) (RZmta 27.6 DYNA|AUTH) with (AES128-SHA encrypted) ESMTPA id V00956o1EEsFFK ; Tue, 14 Feb 2012 17:07:08 +0100 (MET) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=us-ascii In-Reply-To: <4F3A8158.2050206@co3k.org> Date: Tue, 14 Feb 2012 17:07:08 +0100 Cc: Mailing-List php Content-Transfer-Encoding: quoted-printable Message-ID: References: <4F3A5B70.3020707@co3k.org> <4F3A8158.2050206@co3k.org> To: Kousuke Ebihara X-Mailer: Apple Mail (2.1251.1) Subject: Re: [PHP-DEV] About CVE-2012-0831 (magic_quotes_gpc remote disable vulnerability?) From: stefan@nopiracy.de (Stefan Esser) Hi, > 1. In PHP 5.3.10 and before, magic_quotes_gpc is disabled even if it = is enabled in php.ini. No the vulnerability allows attackers to disable activated = magic_quotes_gpc with a remote exploit. > 2. If my PHP scripts don't depend on magic quote feature, in this = case, I don't need to apply the patch. Applications like SugarCRM also do not depend on magic_quotes_gpc. = However SugarCRM before 6.4.0 contains an SQL injection vulnerability = that is not exploitable in case magic_quotes_gpc is activated. > But I think it is totally mistakes. I think it is evaluated as "SQL = Injection attack vulnerability in *PHP*", but it is not correct. = magic_quotes_gpc is just a fail-safe (but of course it is tattered) and = a script which depends on magic_quotes_gpc is intrinsically vulnerable. While magic_quotes_gpc is for sure not the best solution possible, it is = simply not true that scripts relying on magic_quotes_gpc for SQL = escaping are insecure. These scripts are simply not portable (when it comes to moving the SQL = to a different database software or moving to some multi-byte character = sets). There is a lot of old code on the internet that relies on = magic_quotes_gpc and it uses utf8 or iso character set and is NOT = vulnerable. Of course using mysql_real_escape_string() and prepared statements are = more secure, but they are not always required to be secure. Regards, Stefan Esser PS: and all that old code will be vulnerable once the server admin = updates to PHP 5.4