CVE-2012-0831
Priority
Low
Description
PHP before 5.3.10 does not properly perform a temporary change to the
magic_quotes_gpc directive during the importing of environment variables,
which makes it easier for remote attackers to conduct SQL injection attacks
via a crafted request, related to main/php_variables.c,
sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c.
magic_quotes_gpc directive during the importing of environment variables,
which makes it easier for remote attackers to conduct SQL injection attacks
via a crafted request, related to main/php_variables.c,
sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c.
Ubuntu-Description
It was discovered that PHP allowed the magic_quotes_gpc setting to
be disabled remotely. This could allow a remote attacker to bypass
restrictions that could prevent an SQL injection.
be disabled remotely. This could allow a remote attacker to bypass
restrictions that could prevent an SQL injection.
References
Bugs
Notes
sbeattie> this introduced a regression, see bugs
Assigned-to
sbeattie
Package
| Upstream: | released (5.3.10) |
| Ubuntu 8.04 LTS (Hardy Heron): | released (5.2.4-2ubuntu5.22) |
| Ubuntu 10.04 LTS (Lucid Lynx): | released (5.3.2-1ubuntu4.13) |
| Ubuntu 10.10 (Maverick Meerkat): | released (5.3.3-1ubuntu9.9) |
| Ubuntu 11.04 (Natty Narwhal): | released (5.3.5-1ubuntu7.6) |
| Ubuntu 11.10 (Oneiric Ocelot): | released (5.3.6-13ubuntu3.5) |
| Ubuntu 12.04 LTS (Precise Pangolin): | not-affected (5.3.10-1ubuntu1) |