From Marc.Delisle@cegepsherbrooke.qc.ca Fri Mar  2 07:53:20 2007
From: Marc Delisle <Marc.Delisle@cegepsherbrooke.qc.ca>
To: developers@phpmyadmin.net
Subject: Re: [Phpmyadmin-devel] MOPB-02-2007 deep recursion,
Date: Fri, 02 Mar 2007 10:52:18 -0500
Message-ID: <45E84832.9030302@cegepsherbrooke.qc.ca>
In-Reply-To: <45E8473F.4070100@sebastianmendel.de>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6604721119889991645=="

--===============6604721119889991645==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Sebastian Mendel a écrit :
> Marc Delisle schrieb:
>> Sebastian Mendel a écrit :
>>> Marc Delisle schrieb:
>>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
>>>> {echo "x" . $i . "=a&amp;";}'`
>>>>
>>>>  -> URI too long
>>>>
>>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
>>>> {echo "x" . $i . "=a&";}'`
>>>>
>>>> -> login form
>>>>
>>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
>>>> {echo "x" . $i . "=1&amp;";}'`
>>>>
>>>> -> URI too long
>>> works for me:
>>>
>>> deep_recusrion.php
>>> <?php
>>> echo 'register_globals: ' . ini_get('register_globals');
>>> echo '<hr />';
>>> echo '<a href="?';
>>> for ($i = 1; $i < 1010; $i++) {echo "x" . $i . "=a&";}
>>> echo '">klick to test protection against 1000+ vars</a>';
>>> echo '<hr />';
>>>
>>> if (count($GLOBALS) > 1000) {
>>>     die('deep recursion attack');
>>> }
>>> ?>
>> I wrote that I was testing an unpatched PMA. I'm not saying that our 
>> "if" does not work, I'm saying that I don't see the goal of checking the 
>> size of $GLOBALS.
> 
> oh - well, you are right
> 
> the maximum length limits this,
> but the maximum length of the request uri depends on the server
> configuration/build
> 
> but even than we have no recursive call over $GLOBALS
> 
> but:
> it makes no sense to have more than 1000 variables - but of course we could
> also check only $_REQUEST
> 
> and as stefan wrote: " ... Definitievly a sign for an exploit ... "
> 
> so we could just change the message, or?
> 
> 
Yes, change the message and the comment about recursion, and I would 
dissociate this part of the patch from the MOPB patch.

This could be a general protection feature that goes into trunk and 
QA_2_10 but since we don't see how to exploit it, we would not talk 
about it in our upcoming PMASA.

Ok ?




--===============6604721119889991645==--