Bug 670811 – CVE-2010-4700 php: mysqli mysqli_fetch_assoc does not escape its output when magic_quotes are enabled

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 670811 - (CVE-2010-4700) CVE-2010-4700 php: mysqli mysqli_fetch_assoc does not escape its output when magic_quotes are enabled

Summary:	CVE-2010-4700 php: mysqli mysqli_fetch_assoc does not escape its output when ...

Status:	CLOSED NOTABUG

Aliases:	CVE-2010-4700

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	Unspecified Unspecified

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,reported=20110118,public=2...
Keywords:	Security

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2011-01-19 08:11 EST by Tomas Hoger
Modified:	2011-01-21 09:28 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2011-01-21 09:28:58 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Tomas Hoger 2011-01-19 08:11:32 EST

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4700 to the following issue:

The set_magic_quotes_runtime function in PHP 5.3.2 and 5.3.3, when the
MySQLi extension is used, does not properly interact with use of the
mysqli_fetch_assoc function, which might make it easier for
context-dependent attackers to conduct SQL injection attacks via
crafted input that had been properly handled in earlier PHP versions.

References:
http://bugs.php.net/52221
http://www.php.net/ChangeLog-5.php#5.3.4

Upstream commit:
http://svn.php.net/viewvc/?view=revision&revision=302776

Comment 1 Tomas Hoger 2011-01-19 08:21:49 EST

Following commits seem related too:
http://svn.php.net/viewvc?view=revision&revision=302804
http://svn.php.net/viewvc?view=revision&revision=303366

Comment 2 Tomas Hoger 2011-01-20 15:38:10 EST

I can't reproduce this issue on RHEL PHP 5.3.2 and 5.3.3.  The output is escaped as expected, identical to the file_get_contents("test.txt") output.

Looking at what code is touched by the patches referenced above, it's #ifdef MYSQLI_USE_MYSQLND code.  Both RHEL and Fedora PHP packages still use libmysql, rather than new mysqlnd driver.  Our builds should not be affected by this issue.

Comment 3 Tomas Hoger 2011-01-20 15:47:34 EST

Fedora RFE for switch to mysqlnd - bug #510951.

Comment 5 Joe Orton 2011-01-21 09:16:23 EST

Tomas is correct that this only affects the build with mysqlnd enabled, which we don't ship.

Comment 6 Tomas Hoger 2011-01-21 09:28:58 EST

Statement:

Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 4, 5, or 6.

Note You need to log in before you can comment on or make changes to this bug.