Sebastian Mendel a écrit :
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Marc Delisle schrieb:
Sebastian,
this part of the patch:
/**
+ * protect against deep recursion attack CVE-2006-1549,
+ * 1000 seems to be more than enough
+ *
+ * @see
http://www.php-security.org/MOPB/MOPB-02-2007.html
+ * @see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549
+ */
+if (count($GLOBALS) > 1000) {
+ die('possible deep recurse attack');
+}
is not reached when I test the attack of MOPB-02, it's the other
part that protects for this attack.
Do you know in which case this code would trigger? In the case of an
attempt to override $GLOBALS?
it should trigger if and only if register_globals is on
I cannot make this code trigger when register_globals is on,
it's always the protection in PMA_arrayWalkRecursive() that triggers.
I'm attacking with
curl
http://127.0.0.1/phpmyadmin/ -d a`php -r 'echo
str_repeat("[a]",20000);'`=1
do you have some other attack in mind?
this will trigger with
phpmyadmin/?1=1;2=2;3=3;...;100000=100000
this would also be triggered inside PMA_arrayWalkRecursive() but at this
point we could have allready iterated over $GLOBALS ...
Thanks for the clarification. I tried to trigger this (with
register_globals On)
curl
http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 10000; $i++)
{echo "$i=$i;";}'`
I got:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>414 Request-URI Too Large</TITLE>
</HEAD><BODY>
<H1>Request-URI Too Large</H1>
The requested URL's length exceeds the capacity
limit for this server.<P>
request failed: URI too long<P>
=========
With less values:
curl
http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 10000; $i++)
{echo "$i=$i;";}'`
numeric key detected
--------
Ok let's try something else:
curl
http://localhost/phpmyadmin/?`php -r
'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=$i;";}'`
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>414 Request-URI Too Large</TITLE>
</HEAD><BODY>
<H1>Request-URI Too Large</H1>
The requested URL's length exceeds the capacity
limit for this server.<P>
request failed: URI too long<P>