Your submission was sent successfully! Close

CVE-2012-0831

Published: 2 February 2012

PHP before 5.3.10 does not properly perform a temporary change to the magic_quotes_gpc directive during the importing of environment variables, which makes it easier for remote attackers to conduct SQL injection attacks via a crafted request, related to main/php_variables.c, sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c.

From the Ubuntu security team

It was discovered that PHP allowed the magic_quotes_gpc setting to be disabled remotely. This could allow a remote attacker to bypass restrictions that could prevent an SQL injection.

Notes

AuthorNote
sbeattie
this introduced a regression, see bugs
Priority

Low

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
hardy
Released (5.2.4-2ubuntu5.22)
lucid
Released (5.3.2-1ubuntu4.13)
maverick
Released (5.3.3-1ubuntu9.9)
natty
Released (5.3.5-1ubuntu7.6)
oneiric
Released (5.3.6-13ubuntu3.5)
upstream
Released (5.3.10)