[Phpmyadmin-devel] MOPB-02-2007 deep recursion,
Sebastian Mendel
lists at sebastianmendel.de
Fri Mar 2 10:39:16 CET 2007
Marc Delisle schrieb:
> Sebastian Mendel a écrit :
>> Marc Delisle schrieb:
>>> Sebastian,
>>>
>>> this part of the patch:
>>> /**
>>> + * protect against deep recursion attack CVE-2006-1549,
>>> + * 1000 seems to be more than enough
>>> + *
>>> + * @see http://www.php-security.org/MOPB/MOPB-02-2007.html
>>> + * @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549
>>> + */
>>> +if (count($GLOBALS) > 1000) {
>>> + die('possible deep recurse attack');
>>> +}
>>>
>>> is not reached when I test the attack of MOPB-02, it's the other part
>>> that protects for this attack.
>>>
>>> Do you know in which case this code would trigger? In the case of an
>>> attempt to override $GLOBALS?
>>
>> it should trigger if and only if register_globals is on
>
> I cannot make this code trigger when register_globals is on,
> it's always the protection in PMA_arrayWalkRecursive() that triggers.
>
> I'm attacking with
> curl http://127.0.0.1/phpmyadmin/ -d a`php -r 'echo
> str_repeat("[a]",20000);'`=1
>
> do you have some other attack in mind?
this will trigger with
phpmyadmin/?1=1;2=2;3=3;...;100000=100000
this would also be triggered inside PMA_arrayWalkRecursive() but at this
point we could have allready iterated over $GLOBALS ...
--
Sebastian Mendel
www.sebastianmendel.de
More information about the Developers
mailing list