[Phpmyadmin-devel] MOPB-02-2007 deep recursion,

Marc Delisle Marc.Delisle at cegepsherbrooke.qc.ca
Fri Mar 2 15:16:45 CET 2007 

Sebastian Mendel a écrit :
> Marc Delisle schrieb:
>> Sebastian Mendel a écrit :
>>> Marc Delisle schrieb:
>>>> Sebastian Mendel a écrit :
>>>>> Marc Delisle schrieb:
>>>>>> Sebastian,
>>>>>>
>>>>>> this part of the patch:
>>>>>>   /**
>>>>>> + * protect against deep recursion attack CVE-2006-1549,
>>>>>> + * 1000 seems to be more than enough
>>>>>> + *
>>>>>> + * @see http://www.php-security.org/MOPB/MOPB-02-2007.html
>>>>>> + * @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549
>>>>>> + */
>>>>>> +if (count($GLOBALS) > 1000) {
>>>>>> +    die('possible deep recurse attack');
>>>>>> +}
>>>>>>
>>>>>> is not reached when I test the attack of MOPB-02, it's the other 
>>>>>> part that protects for this attack.
>>>>>>
>>>>>> Do you know in which case this code would trigger? In the case of an 
>>>>>> attempt to override $GLOBALS?
>>>>> it should trigger if and only if register_globals is on
>>>> I cannot make this code trigger when register_globals is on,
>>>> it's always the protection in PMA_arrayWalkRecursive() that triggers.
>>>>
>>>> I'm attacking with
>>>>   curl http://127.0.0.1/phpmyadmin/ -d a`php -r 'echo 
>>>> str_repeat("[a]",20000);'`=1
>>>>
>>>> do you have some other attack in mind?
>>> this will trigger with
>>>
>>> phpmyadmin/?1=1;2=2;3=3;...;100000=100000
>>>
>>> this would also be triggered inside PMA_arrayWalkRecursive() but at this 
>>> point we could have allready iterated over $GLOBALS ...
>>>
>>>
>> Thanks for the clarification. I tried to trigger this (with 
>> register_globals On)
>>
>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 10000; $i++) 
>> {echo "$i=$i;";}'`
>>
>> I got:
>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>> <HTML><HEAD>
>> <TITLE>414 Request-URI Too Large</TITLE>
>> </HEAD><BODY>
>> <H1>Request-URI Too Large</H1>
>> The requested URL's length exceeds the capacity
>> limit for this server.<P>
>> request failed: URI too long<P>
>>
>> =========
>>
>> With less values:
>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 10000; $i++) 
>> {echo "$i=$i;";}'`
>>
>> numeric key detected
>> --------
>>
>> Ok let's try something else:
>>
>> curl http://localhost/phpmyadmin/?`php -r
>>   'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=$i;";}'`
> 
> curl http://localhost/phpmyadmin/?`php -r
>   'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a;";}'`

This returns the HTML for the login form.

Since we are testing the GET parameters, this might be good to test:

curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) 
{echo "x" . $i . "=$i&";}'`

or
curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) 
{echo "x" . $i . "=$i&";}'`

both return "URI too long".

Note that I am testing with an unpatched PMA.

Marc

More information about the Developers mailing list