CVE-2012-0831 in PHPinfo

Summary

by MITRE

PHP before 5.3.10 does not properly perform a temporary change to the magic_quotes_gpc directive during the importing of environment variables, which makes it easier for remote attackers to conduct SQL injection attacks via a crafted request, related to main/php_variables.c, sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 03/20/2021

The vulnerability identified as CVE-2012-0831 represents a critical security flaw in PHP versions prior to 5.3.10 that stems from improper handling of the magic_quotes_gpc directive during environment variable processing. This issue specifically affects the CGI and FastCGI implementations of PHP, creating a window of opportunity for attackers to exploit SQL injection vulnerabilities through carefully crafted requests. The flaw occurs in the main/php_variables.c file where environment variables are imported, alongside the sapi/cgi/cgi_main.c and sapi/fpm/fpm/fpm_main.c components that handle CGI and FastCGI processes respectively. The vulnerability is classified under CWE-119 as a weakness related to improper handling of memory access controls during variable processing, which directly impacts the integrity of input validation mechanisms.

The technical exploitation of this vulnerability relies on the fact that PHP temporarily disables the magic_quotes_gpc directive during the import of environment variables, creating a race condition where input validation is temporarily bypassed. This temporary disablement occurs in a manner that does not properly restore the original security settings, allowing malicious input to pass through validation checks that would normally be enforced. Attackers can leverage this by crafting HTTP requests that contain SQL injection payloads, knowing that the magic_quotes_gpc protection is temporarily inactive during the environment variable import phase. The vulnerability is particularly dangerous in CGI and FastCGI environments where the process handling differs from standard PHP installations, making it more prevalent in web server configurations that utilize these SAPI modules.

The operational impact of CVE-2012-0831 extends beyond simple SQL injection capabilities, as it fundamentally undermines the input sanitization mechanisms that PHP provides by default. This vulnerability affects web applications that rely on PHP's built-in protection against SQL injection attacks, particularly those deployed in CGI or FastCGI environments where the vulnerability is most pronounced. The attack vector requires remote execution capability, making it accessible to attackers who can send crafted HTTP requests to vulnerable web servers. This vulnerability is categorized under the ATT&CK technique T1190 - Proxy Execution, as it enables attackers to leverage the web server's PHP processing capabilities to execute malicious SQL commands against backend databases. The exploitation process typically involves sending requests that manipulate environment variables while the magic_quotes_gpc directive is temporarily disabled, allowing SQL injection payloads to bypass normal input validation.

Organizations affected by this vulnerability should prioritize immediate patching of PHP installations to version 5.3.10 or later, which contains the necessary fixes to properly handle the magic_quotes_gpc directive during environment variable processing. System administrators should also implement additional security measures such as input validation at multiple layers, database access controls, and monitoring for suspicious SQL patterns in application logs. The vulnerability demonstrates the importance of proper security context management during variable processing and highlights the risks associated with temporary security mechanism disablement. Additional mitigations include implementing web application firewalls, restricting database permissions for web applications, and conducting regular security assessments of PHP configurations to ensure proper handling of input validation mechanisms. The fix implemented in PHP 5.3.10 addresses the core issue by ensuring that the magic_quotes_gpc directive maintains its proper state throughout the environment variable import process, preventing the temporary bypass that enabled the exploitation vector.

Reservation

01/19/2012

Disclosure

02/10/2012

Moderation

accepted

Entry

VDB-4629

CPE

ready

EPSS

0.06709

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!