[Phpmyadmin-devel] MOPB-02-2007 deep recursion,
Sebastian Mendel
lists at sebastianmendel.de
Fri Mar 2 16:48:15 CET 2007
Marc Delisle schrieb:
> Sebastian Mendel a écrit :
>> Marc Delisle schrieb:
>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
>>> {echo "x" . $i . "=a&";}'`
>>>
>>> -> URI too long
>>>
>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
>>> {echo "x" . $i . "=a&";}'`
>>>
>>> -> login form
>>>
>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
>>> {echo "x" . $i . "=1&";}'`
>>>
>>> -> URI too long
>> works for me:
>>
>> deep_recusrion.php
>> <?php
>> echo 'register_globals: ' . ini_get('register_globals');
>> echo '<hr />';
>> echo '<a href="?';
>> for ($i = 1; $i < 1010; $i++) {echo "x" . $i . "=a&";}
>> echo '">klick to test protection against 1000+ vars</a>';
>> echo '<hr />';
>>
>> if (count($GLOBALS) > 1000) {
>> die('deep recursion attack');
>> }
>> ?>
>
> I wrote that I was testing an unpatched PMA. I'm not saying that our
> "if" does not work, I'm saying that I don't see the goal of checking the
> size of $GLOBALS.
oh - well, you are right
the maximum length limits this,
but the maximum length of the request uri depends on the server
configuration/build
but even than we have no recursive call over $GLOBALS
but:
it makes no sense to have more than 1000 variables - but of course we could
also check only $_REQUEST
and as stefan wrote: " ... Definitievly a sign for an exploit ... "
so we could just change the message, or?
--
Sebastian Mendel
www.sebastianmendel.de
More information about the Developers
mailing list