(12/02/14 23:03), Ondřej Surý wrote: > That's some noise on the wire... This fix was never part of PHP > 5.3.10 and I think all security team just copied this information from > CVE. (Now I at least know where they got it.) > > And you really need to pull the patch from > https://bugs.php.net/bug.php?id=61043 before you push out 5.3.11.
Thanks, it becomes clear. I understand that ... 1. In PHP 5.3.10 and before, magic_quotes_gpc is disabled even if it is enabled in php.ini. 2. If my PHP scripts don't depend on magic quote feature, in this case, I don't need to apply the patch. Are these correct? BTW, According to NVD (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0831), > CVSS v2 Base Score:7.5 (HIGH) > Access Vector: Network exploitable > Access Complexity: Low > Authentication: Not required to exploit > Impact Type:Allows unauthorized disclosure of information; Allows > unauthorized modification; Allows disruption of service > SQL Injection (CWE-89) But I think it is totally mistakes. I think it is evaluated as "SQL Injection attack vulnerability in *PHP*", but it is not correct. magic_quotes_gpc is just a fail-safe (but of course it is tattered) and a script which depends on magic_quotes_gpc is intrinsically vulnerable. -- Kousuke Ebihara <kous...@co3k.org> http://co3k.org/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
