[Phpmyadmin-devel] MOPB-02-2007 deep recursion,

Sebastian Mendel lists at sebastianmendel.de
Fri Mar 2 17:12:28 CET 2007


Marc Delisle schrieb:
> Sebastian Mendel a écrit :
>> Marc Delisle schrieb:
>>> Sebastian Mendel a écrit :
>>>> Marc Delisle schrieb:
>>>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
>>>>> {echo "x" . $i . "=a&";}'`
>>>>>
>>>>>  -> URI too long
>>>>>
>>>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
>>>>> {echo "x" . $i . "=a&";}'`
>>>>>
>>>>> -> login form
>>>>>
>>>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++)
>>>>> {echo "x" . $i . "=1&";}'`
>>>>>
>>>>> -> URI too long
>>>> works for me:
>>>>
>>>> deep_recusrion.php
>>>> <?php
>>>> echo 'register_globals: ' . ini_get('register_globals');
>>>> echo '<hr />';
>>>> echo '<a href="?';
>>>> for ($i = 1; $i < 1010; $i++) {echo "x" . $i . "=a&";}
>>>> echo '">klick to test protection against 1000+ vars</a>';
>>>> echo '<hr />';
>>>>
>>>> if (count($GLOBALS) > 1000) {
>>>>     die('deep recursion attack');
>>>> }
>>>> ?>
>>> I wrote that I was testing an unpatched PMA. I'm not saying that our
>>> "if" does not work, I'm saying that I don't see the goal of checking
>>> the size of $GLOBALS.
>>
>> oh - well, you are right
>>
>> the maximum length limits this,
>> but the maximum length of the request uri depends on the server
>> configuration/build
>>
>> but even than we have no recursive call over $GLOBALS
>>
>> but:
>> it makes no sense to have more than 1000 variables - but of course we
>> could
>> also check only $_REQUEST
>>
>> and as stefan wrote: " ... Definitievly a sign for an exploit ... "
>>
>> so we could just change the message, or?
>
> Yes, change the message and the comment about recursion, and I would
> dissociate this part of the patch from the MOPB patch.
> 
> This could be a general protection feature that goes into trunk and
> QA_2_10 but since we don't see how to exploit it, we would not talk
> about it in our upcoming PMASA.
> 
> Ok ?

ok


-- 
Sebastian Mendel

www.sebastianmendel.de




More information about the Developers mailing list