[Phpmyadmin-devel] MOPB-02-2007 deep recursion,

Marc Delisle Marc.Delisle at cegepsherbrooke.qc.ca
Thu Mar 1 21:38:32 CET 2007


Sebastian Mendel a écrit :
> Marc Delisle schrieb:
>> Sebastian,
>>
>> this part of the patch:
>>   /**
>> + * protect against deep recursion attack CVE-2006-1549,
>> + * 1000 seems to be more than enough
>> + *
>> + * @see http://www.php-security.org/MOPB/MOPB-02-2007.html
>> + * @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549
>> + */
>> +if (count($GLOBALS) > 1000) {
>> +    die('possible deep recurse attack');
>> +}
>>
>> is not reached when I test the attack of MOPB-02, it's the other part 
>> that protects for this attack.
>>
>> Do you know in which case this code would trigger? In the case of an 
>> attempt to override $GLOBALS?
>>   
> it should trigger if and only if register_globals is on

I cannot make this code trigger when register_globals is on,
it's always the protection in PMA_arrayWalkRecursive() that triggers.

I'm attacking with
  curl http://127.0.0.1/phpmyadmin/ -d a`php -r 'echo 
str_repeat("[a]",20000);'`=1

do you have some other attack in mind?

Marc




More information about the Developers mailing list