2012/2/14 Kousuke Ebihara <kous...@co3k.org>: > Hi, > > I've noticed the following CVE: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0831 > >> PHP before 5.3.10 does not properly perform a temporary change to the >> magic_quotes_gpc directive during the importing of environment variables, >> which makes it easier for remote attackers to conduct SQL injection attacks >> via a crafted request, related to main/php_variables.c, sapi/cgi/cgi_main.c, >> and sapi/fpm/fpm/fpm_main.c.
That's some noise on the wire... This fix was never part of PHP 5.3.10 and I think all security team just copied this information from CVE. (Now I at least know where they got it.) And you really need to pull the patch from https://bugs.php.net/bug.php?id=61043 before you push out 5.3.11. O. -- Ondřej Surý <ond...@sury.org> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
