Sebastian Mendel a écrit :
Marc Delisle schrieb:
curl http://localhost/phpmyadmin/?%60php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a&";}'`
-> URI too long
curl http://localhost/phpmyadmin/?%60php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a&";}'`
-> login form
curl http://localhost/phpmyadmin/?%60php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=1&";}'`
-> URI too long
works for me:
deep_recusrion.php
<?php echo 'register_globals: ' . ini_get('register_globals'); echo '<hr />'; echo '<a href="?'; for ($i = 1; $i < 1010; $i++) {echo "x" . $i . "=a&";} echo '">klick to test protection against 1000+ vars</a>'; echo '<hr />'; if (count($GLOBALS) > 1000) { die('deep recursion attack'); } ?>
I wrote that I was testing an unpatched PMA. I'm not saying that our "if" does not work, I'm saying that I don't see the goal of checking the size of $GLOBALS.
Marc
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Marc Delisle schrieb:
curl http://localhost/phpmyadmin/?%60php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a&";}'`
-> URI too long
curl http://localhost/phpmyadmin/?%60php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a&";}'`
-> login form
curl http://localhost/phpmyadmin/?%60php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=1&";}'`
-> URI too long
works for me:
deep_recusrion.php
<?php echo 'register_globals: ' . ini_get('register_globals'); echo '<hr />'; echo '<a href="?'; for ($i = 1; $i < 1010; $i++) {echo "x" . $i . "=a&";} echo '">klick to test protection against 1000+ vars</a>'; echo '<hr />'; if (count($GLOBALS) > 1000) { die('deep recursion attack'); } ?>
I wrote that I was testing an unpatched PMA. I'm not saying that our "if" does not work, I'm saying that I don't see the goal of checking the size of $GLOBALS.
oh - well, you are right
the maximum length limits this, but the maximum length of the request uri depends on the server configuration/build
but even than we have no recursive call over $GLOBALS
but: it makes no sense to have more than 1000 variables - but of course we could also check only $_REQUEST
and as stefan wrote: " ... Definitievly a sign for an exploit ... "
so we could just change the message, or?
Sebastian Mendel a écrit :
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Marc Delisle schrieb:
curl http://localhost/phpmyadmin/?%60php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a&";}'`
-> URI too long
curl http://localhost/phpmyadmin/?%60php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a&";}'`
-> login form
curl http://localhost/phpmyadmin/?%60php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=1&";}'`
-> URI too long
works for me:
deep_recusrion.php
<?php echo 'register_globals: ' . ini_get('register_globals'); echo '<hr />'; echo '<a href="?'; for ($i = 1; $i < 1010; $i++) {echo "x" . $i . "=a&";} echo '">klick to test protection against 1000+ vars</a>'; echo '<hr />'; if (count($GLOBALS) > 1000) { die('deep recursion attack'); } ?>
I wrote that I was testing an unpatched PMA. I'm not saying that our "if" does not work, I'm saying that I don't see the goal of checking the size of $GLOBALS.
oh - well, you are right
the maximum length limits this, but the maximum length of the request uri depends on the server configuration/build
but even than we have no recursive call over $GLOBALS
but: it makes no sense to have more than 1000 variables - but of course we could also check only $_REQUEST
and as stefan wrote: " ... Definitievly a sign for an exploit ... "
so we could just change the message, or?
Yes, change the message and the comment about recursion, and I would dissociate this part of the patch from the MOPB patch.
This could be a general protection feature that goes into trunk and QA_2_10 but since we don't see how to exploit it, we would not talk about it in our upcoming PMASA.
Ok ?
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Marc Delisle schrieb:
curl http://localhost/phpmyadmin/?%60php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a&";}'`
-> URI too long
curl http://localhost/phpmyadmin/?%60php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a&";}'`
-> login form
curl http://localhost/phpmyadmin/?%60php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=1&";}'`
-> URI too long
works for me:
deep_recusrion.php
<?php echo 'register_globals: ' . ini_get('register_globals'); echo '<hr />'; echo '<a href="?'; for ($i = 1; $i < 1010; $i++) {echo "x" . $i . "=a&";} echo '">klick to test protection against 1000+ vars</a>'; echo '<hr />'; if (count($GLOBALS) > 1000) { die('deep recursion attack'); } ?>
I wrote that I was testing an unpatched PMA. I'm not saying that our "if" does not work, I'm saying that I don't see the goal of checking the size of $GLOBALS.
oh - well, you are right
the maximum length limits this, but the maximum length of the request uri depends on the server configuration/build
but even than we have no recursive call over $GLOBALS
but: it makes no sense to have more than 1000 variables - but of course we could also check only $_REQUEST
and as stefan wrote: " ... Definitievly a sign for an exploit ... "
so we could just change the message, or?
Yes, change the message and the comment about recursion, and I would dissociate this part of the patch from the MOPB patch.
This could be a general protection feature that goes into trunk and QA_2_10 but since we don't see how to exploit it, we would not talk about it in our upcoming PMASA.
Ok ?
ok
-
Marc Delisle -
Sebastian Mendel