Marc Delisle schrieb:
Sebastian Mendel a écrit :
http://www.php-security.org/MOPB/MOPB-02-2007.html
i did not fully 'understand' how we are affected, but i think we are
affected somehow ... especially as i come to the sentence wehre phpMyAdmin
is explicitely mentioned ...
We recursively call PMA_gpc_extract(), maybe we can do something about
this as a workaround to this PHP problem.
To better see what happens, add a print_r() like this:
function PMA_gpc_extract($array, &$target, $sanitize = true)
{
print_r($array);
if ( ! is_array($array) ) {
return false;
}
but this comes after the iteration over $GLOBALS and
PMA_arrayWalkRecursive($_GET, 'stripslashes', true);
PMA_arrayWalkRecursive($_POST, 'stripslashes', true);
PMA_arrayWalkRecursive($_COOKIE, 'stripslashes', true);
PMA_arrayWalkRecursive($_REQUEST, 'stripslashes', true);
so this is too late ... ;-)
and call a modified version of the exploit
curl
http://127.0.0.1/phpmyadmin/ -d a`php -r 'echo
str_repeat("[a]",5);'`=1
--
Sebastian Mendel
www.sebastianmendel.de