PHP 5.2.7 *BEWARE* magic_quotes_gpc broken

December 7th, 2008 | by Stefan Esser |

Two days ago I blogged about the release of PHP 5.2.7 and how it fixes several security bugs. Because some are mentioned and some are not mentioned in the Changelog, it is usally advised to upgrade to new PHP versions instead of using distribution packages with security backports. The problem with security backports and incomplete changelogs is that security bugs not being mentioned in the changelog are unknown to the distributions and therefore the necessary fixes will not be backported.

But now it turns out that upgrading to PHP 5.2.7 is not a good idea either, because a change in the ext/filter extension that by default processes all incoming data, broke the magic_quotes_gpc feature. While magic_quotes_gpc itself is deprecated and it is recommended to not rely on it as protection against SQL injection, it is still used in many legacy applications that become very insecure once it is turned off. And exactly that happens with the upgrade to PHP 5.2.7. The fix for this was already commited to the PHP CVS and PHP 5.2.8 will be released next week.

Administrators should be able to protect against this until the release of PHP 5.2.8 by recompiling PHP and disabling ext/filter.

  1. 9 Responses to “PHP 5.2.7 *BEWARE* magic_quotes_gpc broken”

  2. By Lukas on Dec 7, 2008 | Reply

    One thing to mention .. Joe Orten who maintains the RHEL php packages is actually on the security@ mailinglist. So I guess he has the best chance at actually catching all security issues that need to be backported. Other distro maintainers might want to diff newer PHP releases just to be sure they catch everything too. Lets hope things improve on the side of PHP.net

  3. By Kelson on Dec 8, 2008 | Reply

    Just to verify: if magic_quotes_gpc and similar options are set to “Off” in php.ini, this makes no difference, because the bug involves breaking something that’s already disabled, correct?

  4. By Stefan on Dec 10, 2008 | Reply

    The bug has been fixed in PHP 5.2.8, which is available for two days now. I am waiting for a new release of the Suhosin patch, to update my packages. :-)

  1. 6 Trackback(s)

  2. Dec 7, 2008: PHP 5.2.7 updated because magic_quotes_gpc is broken | Dotdeb
  3. Dec 8, 2008: Suspekt… » Blog Archive » PHP 5.2.7 *BEWARE* magic_quotes_gpc broken | MySQL Security
  4. Dec 8, 2008: PHP-5.2.7でデグレ、インストールは非推奨 | Selfkleptomaniac
  5. Dec 17, 2008: PHP 5.2.7 ve ‘magic_quotes_gpc = On’ Dikkat | Diğer Sitelerden
  6. Jan 21, 2009: php, Estefan Esser, e a saga - Wagner Elias - Think Security First
  7. Feb 26, 2009: PHP 5.2.7 updated because magic_quotes_gpc is broken | Pad's Notes

Post a Comment