Sebastian,
this part of the patch:
/**
+ * protect against deep recursion attack CVE-2006-1549,
+ * 1000 seems to be more than enough
+ *
+ * @see
http://www.php-security.org/MOPB/MOPB-02-2007.html
+ * @see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549
+ */
+if (count($GLOBALS) > 1000) {
+ die('possible deep recurse attack');
+}
is not reached when I test the attack of MOPB-02, it's the other part
that protects for this attack.
Do you know in which case this code would trigger? In the case of an
attempt to override $GLOBALS?