1
PublicDateAtUSN: 2012-02-02
2
Candidate: CVE-2012-0831
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0831
6
https://usn.ubuntu.com/usn/usn-1358-1
8
PHP before 5.3.10 does not properly perform a temporary change to the
9
magic_quotes_gpc directive during the importing of environment variables,
10
which makes it easier for remote attackers to conduct SQL injection attacks
11
via a crafted request, related to main/php_variables.c,
12
sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c.
14
It was discovered that PHP allowed the magic_quotes_gpc setting to
15
be disabled remotely. This could allow a remote attacker to bypass
16
restrictions that could prevent an SQL injection.
18
sbeattie> this introduced a regression, see bugs
20
https://bugs.launchpad.net/ubuntu/+source/php5/+bug/930115
21
https://bugs.php.net/bug.php?id=61043
27
upstream_php5: released (5.3.10)
28
hardy_php5: released (5.2.4-2ubuntu5.22)
29
lucid_php5: released (5.3.2-1ubuntu4.13)
30
maverick_php5: released (5.3.3-1ubuntu9.9)
31
natty_php5: released (5.3.5-1ubuntu7.6)
32
oneiric_php5: released (5.3.6-13ubuntu3.5)
33
devel_php5: not-affected (5.3.10-1ubuntu1)