CVE-2012-0831

Priority
Description
PHP before 5.3.10 does not properly perform a temporary change to the
magic_quotes_gpc directive during the importing of environment variables,
which makes it easier for remote attackers to conduct SQL injection attacks
via a crafted request, related to main/php_variables.c,
sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c.
Ubuntu-Description
It was discovered that PHP allowed the magic_quotes_gpc setting to
be disabled remotely. This could allow a remote attacker to bypass
restrictions that could prevent an SQL injection.
Assigned-to
sbeattie
Notes
sbeattiethis introduced a regression, see bugs
Package
Source: php5 (LP Ubuntu Debian)
Upstream:released (5.3.10)
More Information

Updated: 2020-03-18 22:08:32 UTC (commit 2ea7df7bd1e69e1e489978d2724a936eb3faa1b8)