From Marc.Delisle@cegepsherbrooke.qc.ca Fri Mar 2 07:14:23 2007 From: Marc Delisle To: developers@phpmyadmin.net Subject: Re: [Phpmyadmin-devel] MOPB-02-2007 deep recursion, Date: Fri, 02 Mar 2007 10:13:58 -0500 Message-ID: <45E83F36.7070300@cegepsherbrooke.qc.ca> In-Reply-To: <45E83E10.4040800@sebastianmendel.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7835175121210381946==" --===============7835175121210381946== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Sebastian Mendel a écrit : > Marc Delisle schrieb: >> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) >> {echo "x" . $i . "=a&";}'` >> >> -> URI too long >> >> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) >> {echo "x" . $i . "=a&";}'` >> >> -> login form >> >> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) >> {echo "x" . $i . "=1&";}'` >> >> -> URI too long > > works for me: > > deep_recusrion.php > echo 'register_globals: ' . ini_get('register_globals'); > echo '

'; > echo ' echo '">klick to test protection against 1000+ vars'; > echo '

'; > > if (count($GLOBALS) > 1000) { > die('deep recursion attack'); > } > ?> > > I wrote that I was testing an unpatched PMA. I'm not saying that our "if" does not work, I'm saying that I don't see the goal of checking the size of $GLOBALS. Marc --===============7835175121210381946==-- From lists@sebastianmendel.de Fri Mar 2 07:47:03 2007 From: Sebastian Mendel To: developers@phpmyadmin.net Subject: Re: [Phpmyadmin-devel] MOPB-02-2007 deep recursion, Date: Fri, 02 Mar 2007 16:48:15 +0100 Message-ID: <45E8473F.4070100@sebastianmendel.de> In-Reply-To: <45E83F36.7070300@cegepsherbrooke.qc.ca> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2429544256967463185==" --===============2429544256967463185== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Marc Delisle schrieb: > Sebastian Mendel a écrit : >> Marc Delisle schrieb: >>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) >>> {echo "x" . $i . "=a&";}'` >>> >>> -> URI too long >>> >>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) >>> {echo "x" . $i . "=a&";}'` >>> >>> -> login form >>> >>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) >>> {echo "x" . $i . "=1&";}'` >>> >>> -> URI too long >> works for me: >> >> deep_recusrion.php >> > echo 'register_globals: ' . ini_get('register_globals'); >> echo '

'; >> echo '> echo '">klick to test protection against 1000+ vars'; >> echo '

'; >> >> if (count($GLOBALS) > 1000) { >> die('deep recursion attack'); >> } >> ?> > > I wrote that I was testing an unpatched PMA. I'm not saying that our > "if" does not work, I'm saying that I don't see the goal of checking the > size of $GLOBALS. oh - well, you are right the maximum length limits this, but the maximum length of the request uri depends on the server configuration/build but even than we have no recursive call over $GLOBALS but: it makes no sense to have more than 1000 variables - but of course we could also check only $_REQUEST and as stefan wrote: " ... Definitievly a sign for an exploit ... " so we could just change the message, or? -- Sebastian Mendel www.sebastianmendel.de --===============2429544256967463185==-- From Marc.Delisle@cegepsherbrooke.qc.ca Fri Mar 2 07:53:20 2007 From: Marc Delisle To: developers@phpmyadmin.net Subject: Re: [Phpmyadmin-devel] MOPB-02-2007 deep recursion, Date: Fri, 02 Mar 2007 10:52:18 -0500 Message-ID: <45E84832.9030302@cegepsherbrooke.qc.ca> In-Reply-To: <45E8473F.4070100@sebastianmendel.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3073082864563652009==" --===============3073082864563652009== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Sebastian Mendel a écrit : > Marc Delisle schrieb: >> Sebastian Mendel a écrit : >>> Marc Delisle schrieb: >>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) >>>> {echo "x" . $i . "=a&";}'` >>>> >>>> -> URI too long >>>> >>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) >>>> {echo "x" . $i . "=a&";}'` >>>> >>>> -> login form >>>> >>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) >>>> {echo "x" . $i . "=1&";}'` >>>> >>>> -> URI too long >>> works for me: >>> >>> deep_recusrion.php >>> >> echo 'register_globals: ' . ini_get('register_globals'); >>> echo '

'; >>> echo '>> echo '">klick to test protection against 1000+ vars'; >>> echo '

'; >>> >>> if (count($GLOBALS) > 1000) { >>> die('deep recursion attack'); >>> } >>> ?> >> I wrote that I was testing an unpatched PMA. I'm not saying that our >> "if" does not work, I'm saying that I don't see the goal of checking the >> size of $GLOBALS. > > oh - well, you are right > > the maximum length limits this, > but the maximum length of the request uri depends on the server > configuration/build > > but even than we have no recursive call over $GLOBALS > > but: > it makes no sense to have more than 1000 variables - but of course we could > also check only $_REQUEST > > and as stefan wrote: " ... Definitievly a sign for an exploit ... " > > so we could just change the message, or? > > Yes, change the message and the comment about recursion, and I would dissociate this part of the patch from the MOPB patch. This could be a general protection feature that goes into trunk and QA_2_10 but since we don't see how to exploit it, we would not talk about it in our upcoming PMASA. Ok ? --===============3073082864563652009==-- From lists@sebastianmendel.de Fri Mar 2 08:11:12 2007 From: Sebastian Mendel To: developers@phpmyadmin.net Subject: Re: [Phpmyadmin-devel] MOPB-02-2007 deep recursion, Date: Fri, 02 Mar 2007 17:12:28 +0100 Message-ID: <45E84CEC.2030407@sebastianmendel.de> In-Reply-To: <45E84832.9030302@cegepsherbrooke.qc.ca> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2856736602436800645==" --===============2856736602436800645== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Marc Delisle schrieb: > Sebastian Mendel a écrit : >> Marc Delisle schrieb: >>> Sebastian Mendel a écrit : >>>> Marc Delisle schrieb: >>>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) >>>>> {echo "x" . $i . "=a&";}'` >>>>> >>>>> -> URI too long >>>>> >>>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) >>>>> {echo "x" . $i . "=a&";}'` >>>>> >>>>> -> login form >>>>> >>>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) >>>>> {echo "x" . $i . "=1&";}'` >>>>> >>>>> -> URI too long >>>> works for me: >>>> >>>> deep_recusrion.php >>>> >>> echo 'register_globals: ' . ini_get('register_globals'); >>>> echo '

'; >>>> echo '>>> echo '">klick to test protection against 1000+ vars'; >>>> echo '

'; >>>> >>>> if (count($GLOBALS) > 1000) { >>>> die('deep recursion attack'); >>>> } >>>> ?> >>> I wrote that I was testing an unpatched PMA. I'm not saying that our >>> "if" does not work, I'm saying that I don't see the goal of checking >>> the size of $GLOBALS. >> >> oh - well, you are right >> >> the maximum length limits this, >> but the maximum length of the request uri depends on the server >> configuration/build >> >> but even than we have no recursive call over $GLOBALS >> >> but: >> it makes no sense to have more than 1000 variables - but of course we >> could >> also check only $_REQUEST >> >> and as stefan wrote: " ... Definitievly a sign for an exploit ... " >> >> so we could just change the message, or? > > Yes, change the message and the comment about recursion, and I would > dissociate this part of the patch from the MOPB patch. > > This could be a general protection feature that goes into trunk and > QA_2_10 but since we don't see how to exploit it, we would not talk > about it in our upcoming PMASA. > > Ok ? ok -- Sebastian Mendel www.sebastianmendel.de --===============2856736602436800645==--