From Marc.Delisle@cegepsherbrooke.qc.ca Fri Mar  2 06:46:45 2007
From: Marc Delisle <Marc.Delisle@cegepsherbrooke.qc.ca>
To: developers@phpmyadmin.net
Subject: Re: [Phpmyadmin-devel] MOPB-02-2007 deep recursion,
Date: Fri, 02 Mar 2007 09:46:20 -0500
Message-ID: <45E838BC.3070502@cegepsherbrooke.qc.ca>
In-Reply-To: <45E83486.5080503@sebastianmendel.de>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8570435342984028805=="

--===============8570435342984028805==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Sebastian Mendel a =C3=A9crit :
> Marc Delisle schrieb:
>> Sebastian Mendel a =C3=A9crit :
>>> Marc Delisle schrieb:
>>>> Sebastian Mendel a =C3=A9crit :
>>>>> Marc Delisle schrieb:
>>>>>> Sebastian Mendel a =C3=A9crit :
>>>>>>> Marc Delisle schrieb:
>>>>>>>> Sebastian,
>>>>>>>>
>>>>>>>> this part of the patch:
>>>>>>>>   /**
>>>>>>>> + * protect against deep recursion attack CVE-2006-1549,
>>>>>>>> + * 1000 seems to be more than enough
>>>>>>>> + *
>>>>>>>> + * @see http://www.php-security.org/MOPB/MOPB-02-2007.html
>>>>>>>> + * @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2006-15=
49
>>>>>>>> + */
>>>>>>>> +if (count($GLOBALS) > 1000) {
>>>>>>>> +    die('possible deep recurse attack');
>>>>>>>> +}
>>>>>>>>
>>>>>>>> is not reached when I test the attack of MOPB-02, it's the other=20
>>>>>>>> part that protects for this attack.
>>>>>>>>
>>>>>>>> Do you know in which case this code would trigger? In the case of an=
=20
>>>>>>>> attempt to override $GLOBALS?
>>>>>>> it should trigger if and only if register_globals is on
>>>>>> I cannot make this code trigger when register_globals is on,
>>>>>> it's always the protection in PMA_arrayWalkRecursive() that triggers.
>>>>>>
>>>>>> I'm attacking with
>>>>>>   curl http://127.0.0.1/phpmyadmin/ -d a`php -r 'echo=20
>>>>>> str_repeat("[a]",20000);'`=3D1
>>>>>>
>>>>>> do you have some other attack in mind?
>>>>> this will trigger with
>>>>>
>>>>> phpmyadmin/?1=3D1;2=3D2;3=3D3;...;100000=3D100000
>>>>>
>>>>> this would also be triggered inside PMA_arrayWalkRecursive() but at thi=
s=20
>>>>> point we could have allready iterated over $GLOBALS ...
>>>>>
>>>>>
>>>> Thanks for the clarification. I tried to trigger this (with=20
>>>> register_globals On)
>>>>
>>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=3D1; $i < 10000; $i++=
)=20
>>>> {echo "$i=3D$i;";}'`
>>>>
>>>> I got:
>>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>>> <HTML><HEAD>
>>>> <TITLE>414 Request-URI Too Large</TITLE>
>>>> </HEAD><BODY>
>>>> <H1>Request-URI Too Large</H1>
>>>> The requested URL's length exceeds the capacity
>>>> limit for this server.<P>
>>>> request failed: URI too long<P>
>>>>
>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D
>>>>
>>>> With less values:
>>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=3D1; $i < 10000; $i++=
)=20
>>>> {echo "$i=3D$i;";}'`
>>>>
>>>> numeric key detected
>>>> --------
>>>>
>>>> Ok let's try something else:
>>>>
>>>> curl http://localhost/phpmyadmin/?`php -r
>>>>   'for ($i=3D1; $i < 1000; $i++) {echo "x" . $i . "=3D$i;";}'`
>>> curl http://localhost/phpmyadmin/?`php -r
>>>   'for ($i=3D1; $i < 1000; $i++) {echo "x" . $i . "=3Da;";}'`
>> This returns the HTML for the login form.
>=20
> uh, of course you have to use & instead of ; if your configuration says so
>=20
> curl http://localhost/phpmyadmin/?`php -r
>    'for ($i=3D1; $i < 1000; $i++) {echo "x" . $i . "=3Da&";}'`
>=20
>=20
>> Since we are testing the GET parameters, this might be good to test:
>>
>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=3D1; $i < 1000; $i++)=20
>> {echo "x" . $i . "=3D$i&";}'`
>>
>> or
>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=3D1; $i < 1000; $i++)=20
>> {echo "x" . $i . "=3D$i&amp;";}'`
>>
>> both return "URI too long".
>=20
>=20
> as above, replace the second $i with a or 1 or ...
>=20
>=20

curl http://localhost/phpmyadmin/?`php -r 'for ($i=3D1; $i < 1000; $i++)=20
{echo "x" . $i . "=3Da&amp;";}'`

  -> URI too long

curl http://localhost/phpmyadmin/?`php -r 'for ($i=3D1; $i < 1000; $i++)=20
{echo "x" . $i . "=3Da&";}'`

-> login form

curl http://localhost/phpmyadmin/?`php -r 'for ($i=3D1; $i < 1000; $i++)=20
{echo "x" . $i . "=3D1&amp;";}'`

-> URI too long


--===============8570435342984028805==--