|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77541 SQLite < 3.26.0 - Possible magellan vulnerability
Submitted: 2019-01-29 15:36 UTC Modified: 2019-01-29 16:36 UTC
From: myskina at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: PDO SQLite
PHP Version: 7.3.1 OS: Windows 7 x64
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
34 - 13 = ?
Subscribe to this entry?

 [2019-01-29 15:36 UTC] myskina at gmail dot com
This vulnerability in SQLite has been discussed on some sites:

PHP version 7.3.1's pdo_sqlite currently uses SQLite 3.24.0.

According to SQLite's creator to be able to use this vulnerability, you need a combination of things. You have to be able to execute arbitrary SQL and you have to have FTS3 enabled, and in those cases you can get a remote code execution.

Is SQLite in PHP 7.3.1 available with FTS3 on some OS?

Is PHP vulnerable?

Is an update to a version of SQLite that is at least 3.26.0 or earlier needed or planned in a future release?


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-29 16:16 UTC]
-Status: Open +Status: Duplicate -Type: Security +Type: Bug -Assigned To: +Assigned To: cmb
 [2019-01-29 16:16 UTC]
This is basically a duplicate of bug #77305.
 [2019-01-29 16:30 UTC] myskina at gmail dot com
-Status: Duplicate +Status: Closed
 [2019-01-29 16:30 UTC] myskina at gmail dot com
Oh. I didn't find the other bug report when I searched for related issues before submitting.

I'll close this one.
 [2019-01-29 16:36 UTC]
-Status: Closed +Status: Duplicate
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon May 20 07:01:34 2024 UTC