March 2007 - Developers - lists.phpmyadmin.net

Re: [Phpmyadmin-devel] MOPB-02-2007 deep recursion,
by Marc Delisle 02 Mar '07

02 Mar '07

Sebastian Mendel a écrit : > Marc Delisle schrieb: >> Sebastian Mendel a écrit : >>> Marc Delisle schrieb: >>>> Sebastian Mendel a écrit : >>>>> Marc Delisle schrieb: >>>>>> Sebastian, >>>>>> >>>>>> this part of the patch: >>>>>> /** >>>>>> + * protect against deep recursion attack CVE-2006-1549, >>>>>> + * 1000 seems to be more than enough >>>>>> + * >>>>>> + * @see http://www.php-security.org/MOPB/MOPB-02-2007.html >>>>>> + * @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549 >>>>>> + */ >>>>>> +if (count($GLOBALS) > 1000) { >>>>>> + die('possible deep recurse attack'); >>>>>> +} >>>>>> >>>>>> is not reached when I test the attack of MOPB-02, it's the other >>>>>> part that protects for this attack. >>>>>> >>>>>> Do you know in which case this code would trigger? In the case of an >>>>>> attempt to override $GLOBALS? >>>>> it should trigger if and only if register_globals is on >>>> I cannot make this code trigger when register_globals is on, >>>> it's always the protection in PMA_arrayWalkRecursive() that triggers. >>>> >>>> I'm attacking with >>>> curl http://127.0.0.1/phpmyadmin/ -d a`php -r 'echo >>>> str_repeat("[a]",20000);'`=1 >>>> >>>> do you have some other attack in mind? >>> this will trigger with >>> >>> phpmyadmin/?1=1;2=2;3=3;...;100000=100000 >>> >>> this would also be triggered inside PMA_arrayWalkRecursive() but at this >>> point we could have allready iterated over $GLOBALS ... >>> >>> >> Thanks for the clarification. I tried to trigger this (with >> register_globals On) >> >> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 10000; $i++) >> {echo "$i=$i;";}'` >> >> I got: >> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> >> <HTML><HEAD> >> <TITLE>414 Request-URI Too Large</TITLE> >> </HEAD><BODY> >> <H1>Request-URI Too Large</H1> >> The requested URL's length exceeds the capacity >> limit for this server.<P> >> request failed: URI too long<P> >> >> ========= >> >> With less values: >> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 10000; $i++) >> {echo "$i=$i;";}'` >> >> numeric key detected >> -------- >> >> Ok let's try something else: >> >> curl http://localhost/phpmyadmin/?`php -r >> 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=$i;";}'` > > curl http://localhost/phpmyadmin/?`php -r > 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a;";}'` This returns the HTML for the login form. Since we are testing the GET parameters, this might be good to test: curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=$i&";}'` or curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=$i&";}'` both return "URI too long". Note that I am testing with an unpatched PMA. Marc

1 0

[Phpmyadmin-devel] external contact
by Sebastian Mendel 02 Mar '07

02 Mar '07

Hi, today i asked steffen something about his bug-reports, i noticed that marc already asked him the same ... ;-) possible we should add bcc: pma-devel list if we write to external people to not annoy them ... ;-) -- Sebastian Mendel www.sebastianmendel.de

2 1

[Phpmyadmin-devel] MOPB-02-2007 deep recursion, phpMyAdmin affected?
by Sebastian Mendel 02 Mar '07

02 Mar '07

http://www.php-security.org/MOPB/MOPB-02-2007.html i did not fully 'understand' how we are affected, but i think we are affected somehow ... especially as i come to the sentence wehre phpMyAdmin is explicitely mentioned ... -- Sebastian Mendel www.sebastianmendel.de

3 15

[Phpmyadmin-devel] about bug #1615530 open_basedir with upload tmpdir outside
by Sebastian Mendel 02 Mar '07

02 Mar '07

https://sourceforge.net/support/tracker.php?aid=1615530 -- Sebastian Mendel www.sebastianmendel.de

1 0

[Phpmyadmin-devel] MOPB-03-2007 also
by Marc Delisle 01 Mar '07

01 Mar '07

Hi, I did not do much research but the bug MOPB-03-2007:PHP Variable Destructor Deep Recursion Stack Overflow is usable against phpMyAdmin, even with the latest patch. register_globals can be On of Off. Now continuing the analysis ... Marc

1 1

[Phpmyadmin-devel] MYSQLI_CLIENT_SSL
by Marc Delisle 01 Mar '07

01 Mar '07

Hi, I wonder if $cfg['Servers'][$i]['ssl'] = true; being true by default will not cause us some problems. https://sourceforge.net/forum/forum.php?thread_id=1683182&forum_id=72909 http://ca.php.net/mysqli MYSQLI_CLIENT_SSL Use SSL (encrypted protocol). This option should not be set by application programs; it is set internally in the MySQL client library. =========== "should not be set by application programs": this is us, no? :) They don't mention this warning for MYSQL_CLIENT_SSL. Marc

3 4