2 Mar
2007
2 Mar
'07
6:13 p.m.
Sebastian Mendel a écrit :
Marc Delisle schrieb:
I wrote that I was testing an unpatched PMA. I'm not saying that our
"if" does not work, I'm saying that I don't see the goal of checking the
size of $GLOBALS.
Marc
curl http://localhost/phpmyadmin/?`php -r
'for ($i=1; $i < 1000; $i++)
{echo "x" . $i . "=a&";}'`
-> URI too long
curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
{echo "x" . $i . "=a&";}'`
-> login form
curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
{echo "x" . $i . "=1&";}'`
-> URI too long
works for me:
deep_recusrion.php
<?php
echo 'register_globals: ' . ini_get('register_globals');
echo '<hr />';
echo '<a href="?';
for ($i = 1; $i < 1010; $i++) {echo "x" . $i . "=a&";}
echo '">klick to test protection against 1000+ vars</a>';
echo '<hr />';
if (count($GLOBALS) > 1000) {
die('deep recursion attack');
}
?>
2 Mar
2 Mar
6:48 p.m.
New subject: [Phpmyadmin-devel] MOPB-02-2007 deep recursion,
Marc Delisle schrieb:
Sebastian Mendel a écrit :
oh - well, you are right
the maximum length limits this,
but the maximum length of the request uri depends on the server
configuration/build
but even than we have no recursive call over $GLOBALS
but:
it makes no sense to have more than 1000 variables - but of course we could
also check only $_REQUEST
and as stefan wrote: " ... Definitievly a sign for an exploit ... "
so we could just change the message, or?
--
Sebastian Mendel
www.sebastianmendel.de
Marc Delisle schrieb:
I wrote that I was testing an unpatched PMA. I'm not saying that our
"if" does not work, I'm saying that I don't see the goal of checking
the
size of $GLOBALS. curl http://localhost/phpmyadmin/?`php -r
'for ($i=1; $i < 1000; $i++)
{echo "x" . $i . "=a&";}'`
-> URI too long
curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
{echo "x" . $i . "=a&";}'`
-> login form
curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
{echo "x" . $i . "=1&";}'`
-> URI too long
works for me:
deep_recusrion.php
<?php
echo 'register_globals: ' . ini_get('register_globals');
echo '<hr />';
echo '<a href="?';
for ($i = 1; $i < 1010; $i++) {echo "x" . $i . "=a&";}
echo '">klick to test protection against 1000+ vars</a>';
echo '<hr />';
if (count($GLOBALS) > 1000) {
die('deep recursion attack');
}
?>
6:52 p.m.
New subject: [Phpmyadmin-devel] MOPB-02-2007 deep recursion,
Sebastian Mendel a écrit :
Marc Delisle schrieb:
Yes, change the message and the comment about recursion, and I would
dissociate this part of the patch from the MOPB patch.
This could be a general protection feature that goes into trunk and
QA_2_10 but since we don't see how to exploit it, we would not talk
about it in our upcoming PMASA.
Ok ?
Sebastian Mendel a écrit :
oh - well, you are right
the maximum length limits this,
but the maximum length of the request uri depends on the server
configuration/build
but even than we have no recursive call over $GLOBALS
but:
it makes no sense to have more than 1000 variables - but of course we could
also check only $_REQUEST
and as stefan wrote: " ... Definitievly a sign for an exploit ... "
so we could just change the message, or?
Marc Delisle schrieb:
I wrote that I was testing an unpatched PMA. I'm not saying that our
"if" does not work, I'm saying that I don't see the goal of checking
the
size of $GLOBALS. curl http://localhost/phpmyadmin/?`php -r
'for ($i=1; $i < 1000; $i++)
{echo "x" . $i . "=a&";}'`
-> URI too long
curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
{echo "x" . $i . "=a&";}'`
-> login form
curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
{echo "x" . $i . "=1&";}'`
-> URI too long
works for me:
deep_recusrion.php
<?php
echo 'register_globals: ' . ini_get('register_globals');
echo '<hr />';
echo '<a href="?';
for ($i = 1; $i < 1010; $i++) {echo "x" . $i . "=a&";}
echo '">klick to test protection against 1000+ vars</a>';
echo '<hr />';
if (count($GLOBALS) > 1000) {
die('deep recursion attack');
}
?>
7:12 p.m.
New subject: [Phpmyadmin-devel] MOPB-02-2007 deep recursion,
Marc Delisle schrieb:
Sebastian Mendel a écrit :
ok
--
Sebastian Mendel
www.sebastianmendel.de
Marc Delisle schrieb:
Yes, change the message and the comment about recursion, and I would
dissociate this part of the patch from the MOPB patch.
This could be a general protection feature that goes into trunk and
QA_2_10 but since we don't see how to exploit it, we would not talk
about it in our upcoming PMASA.
Ok ? Sebastian Mendel a écrit :
oh - well, you are right
the maximum length limits this,
but the maximum length of the request uri depends on the server
configuration/build
but even than we have no recursive call over $GLOBALS
but:
it makes no sense to have more than 1000 variables - but of course we
could
also check only $_REQUEST
and as stefan wrote: " ... Definitievly a sign for an exploit ... "
so we could just change the message, or? Marc Delisle schrieb:
> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
> {echo "x" . $i . "=a&";}'`
>
> -> URI too long
>
> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
> {echo "x" . $i . "=a&";}'`
>
> -> login form
>
> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
> {echo "x" . $i . "=1&";}'`
>
> -> URI too long
works for me:
deep_recusrion.php
<?php
echo 'register_globals: ' . ini_get('register_globals');
echo '<hr />';
echo '<a href="?';
for ($i = 1; $i < 1010; $i++) {echo "x" . $i . "=a&";}
echo '">klick to test protection against 1000+ vars</a>';
echo '<hr />';
if (count($GLOBALS) > 1000) {
die('deep recursion attack');
}
?>
I wrote that I was testing an unpatched PMA. I'm not saying that our
"if" does not work, I'm saying that I don't see the goal of checking
the size of $GLOBALS.
6412
days inactive
6412
days old
3 comments
2 participants
participants (2)
-
Marc Delisle -
Sebastian Mendel