[Phpmyadmin-devel] MOPB-02-2007 deep recursion,

Marc Delisle Marc.Delisle at cegepsherbrooke.qc.ca
Fri Mar 2 14:01:47 CET 2007 

Sebastian Mendel a écrit :
> Marc Delisle schrieb:
>> Sebastian Mendel a écrit :
>>> Marc Delisle schrieb:
>>>> Sebastian,
>>>>
>>>> this part of the patch:
>>>>   /**
>>>> + * protect against deep recursion attack CVE-2006-1549,
>>>> + * 1000 seems to be more than enough
>>>> + *
>>>> + * @see http://www.php-security.org/MOPB/MOPB-02-2007.html
>>>> + * @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549
>>>> + */
>>>> +if (count($GLOBALS) > 1000) {
>>>> +    die('possible deep recurse attack');
>>>> +}
>>>>
>>>> is not reached when I test the attack of MOPB-02, it's the other 
>>>> part that protects for this attack.
>>>>
>>>> Do you know in which case this code would trigger? In the case of an 
>>>> attempt to override $GLOBALS?
>>>
>>> it should trigger if and only if register_globals is on
>>
>> I cannot make this code trigger when register_globals is on,
>> it's always the protection in PMA_arrayWalkRecursive() that triggers.
>>
>> I'm attacking with
>>   curl http://127.0.0.1/phpmyadmin/ -d a`php -r 'echo 
>> str_repeat("[a]",20000);'`=1
>>
>> do you have some other attack in mind?
> 
> this will trigger with
> 
> phpmyadmin/?1=1;2=2;3=3;...;100000=100000
> 
> this would also be triggered inside PMA_arrayWalkRecursive() but at this 
> point we could have allready iterated over $GLOBALS ...
> 
> 
Thanks for the clarification. I tried to trigger this (with 
register_globals On)

curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 10000; $i++) 
{echo "$i=$i;";}'`

I got:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>414 Request-URI Too Large</TITLE>
</HEAD><BODY>
<H1>Request-URI Too Large</H1>
The requested URL's length exceeds the capacity
limit for this server.<P>
request failed: URI too long<P>

=========

With less values:
curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 10000; $i++) 
{echo "$i=$i;";}'`

numeric key detected
--------

Ok let's try something else:

curl http://localhost/phpmyadmin/?`php -r
  'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=$i;";}'`

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>414 Request-URI Too Large</TITLE>
</HEAD><BODY>
<H1>Request-URI Too Large</H1>
The requested URL's length exceeds the capacity
limit for this server.<P>
request failed: URI too long<P>

More information about the Developers mailing list