Re: [Phpmyadmin-devel] MOPB-02-2007 deep recursion,
Sebastian Mendel a écrit :
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Marc Delisle schrieb:
Sebastian Mendel a écrit : > Marc Delisle schrieb: >> Sebastian, >> >> this part of the patch: >> /** >> + * protect against deep recursion attack CVE-2006-1549, >> + * 1000 seems to be more than enough >> + * >> + * @see http://www.php-security.org/MOPB/MOPB-02-2007.html >> + * @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549 >> + */ >> +if (count($GLOBALS) > 1000) { >> + die('possible deep recurse attack'); >> +} >> >> is not reached when I test the attack of MOPB-02, it's the other >> part that protects for this attack. >> >> Do you know in which case this code would trigger? In the case of an >> attempt to override $GLOBALS? > it should trigger if and only if register_globals is on I cannot make this code trigger when register_globals is on, it's always the protection in PMA_arrayWalkRecursive() that triggers.
I'm attacking with curl http://127.0.0.1/phpmyadmin/ -d a`php -r 'echo str_repeat("[a]",20000);'`=1
do you have some other attack in mind? this will trigger with
phpmyadmin/?1=1;2=2;3=3;...;100000=100000
this would also be triggered inside PMA_arrayWalkRecursive() but at this point we could have allready iterated over $GLOBALS ...
Thanks for the clarification. I tried to trigger this (with register_globals On)
curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 10000; $i++) {echo "$i=$i;";}'`
I got: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>414 Request-URI Too Large</TITLE> </HEAD><BODY> <H1>Request-URI Too Large</H1> The requested URL's length exceeds the capacity limit for this server.<P> request failed: URI too long<P>
=========
With less values: curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 10000; $i++) {echo "$i=$i;";}'`
numeric key detected --------
Ok let's try something else:
curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=$i;";}'` curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a;";}'` This returns the HTML for the login form.
uh, of course you have to use & instead of ; if your configuration says so
curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a&";}'`
Since we are testing the GET parameters, this might be good to test:
curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=$i&";}'`
or curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=$i&";}'`
both return "URI too long".
as above, replace the second $i with a or 1 or ...
curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a&";}'` -> URI too long curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a&";}'` -> login form curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=1&";}'` -> URI too long
participants (1)
-
Marc Delisle