[Phpmyadmin-devel] MOPB-02-2007 deep recursion,

Marc Delisle Marc.Delisle at cegepsherbrooke.qc.ca
Fri Mar 2 15:46:20 CET 2007


Sebastian Mendel a écrit :
> Marc Delisle schrieb:
>> Sebastian Mendel a écrit :
>>> Marc Delisle schrieb:
>>>> Sebastian Mendel a écrit :
>>>>> Marc Delisle schrieb:
>>>>>> Sebastian Mendel a écrit :
>>>>>>> Marc Delisle schrieb:
>>>>>>>> Sebastian,
>>>>>>>>
>>>>>>>> this part of the patch:
>>>>>>>>   /**
>>>>>>>> + * protect against deep recursion attack CVE-2006-1549,
>>>>>>>> + * 1000 seems to be more than enough
>>>>>>>> + *
>>>>>>>> + * @see http://www.php-security.org/MOPB/MOPB-02-2007.html
>>>>>>>> + * @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549
>>>>>>>> + */
>>>>>>>> +if (count($GLOBALS) > 1000) {
>>>>>>>> +    die('possible deep recurse attack');
>>>>>>>> +}
>>>>>>>>
>>>>>>>> is not reached when I test the attack of MOPB-02, it's the other 
>>>>>>>> part that protects for this attack.
>>>>>>>>
>>>>>>>> Do you know in which case this code would trigger? In the case of an 
>>>>>>>> attempt to override $GLOBALS?
>>>>>>> it should trigger if and only if register_globals is on
>>>>>> I cannot make this code trigger when register_globals is on,
>>>>>> it's always the protection in PMA_arrayWalkRecursive() that triggers.
>>>>>>
>>>>>> I'm attacking with
>>>>>>   curl http://127.0.0.1/phpmyadmin/ -d a`php -r 'echo 
>>>>>> str_repeat("[a]",20000);'`=1
>>>>>>
>>>>>> do you have some other attack in mind?
>>>>> this will trigger with
>>>>>
>>>>> phpmyadmin/?1=1;2=2;3=3;...;100000=100000
>>>>>
>>>>> this would also be triggered inside PMA_arrayWalkRecursive() but at this 
>>>>> point we could have allready iterated over $GLOBALS ...
>>>>>
>>>>>
>>>> Thanks for the clarification. I tried to trigger this (with 
>>>> register_globals On)
>>>>
>>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 10000; $i++) 
>>>> {echo "$i=$i;";}'`
>>>>
>>>> I got:
>>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>>> <HTML><HEAD>
>>>> <TITLE>414 Request-URI Too Large</TITLE>
>>>> </HEAD><BODY>
>>>> <H1>Request-URI Too Large</H1>
>>>> The requested URL's length exceeds the capacity
>>>> limit for this server.<P>
>>>> request failed: URI too long<P>
>>>>
>>>> =========
>>>>
>>>> With less values:
>>>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 10000; $i++) 
>>>> {echo "$i=$i;";}'`
>>>>
>>>> numeric key detected
>>>> --------
>>>>
>>>> Ok let's try something else:
>>>>
>>>> curl http://localhost/phpmyadmin/?`php -r
>>>>   'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=$i;";}'`
>>> curl http://localhost/phpmyadmin/?`php -r
>>>   'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a;";}'`
>> This returns the HTML for the login form.
> 
> uh, of course you have to use & instead of ; if your configuration says so
> 
> curl http://localhost/phpmyadmin/?`php -r
>    'for ($i=1; $i < 1000; $i++) {echo "x" . $i . "=a&";}'`
> 
> 
>> Since we are testing the GET parameters, this might be good to test:
>>
>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) 
>> {echo "x" . $i . "=$i&";}'`
>>
>> or
>> curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) 
>> {echo "x" . $i . "=$i&";}'`
>>
>> both return "URI too long".
> 
> 
> as above, replace the second $i with a or 1 or ...
> 
> 

curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) 
{echo "x" . $i . "=a&";}'`

  -> URI too long

curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) 
{echo "x" . $i . "=a&";}'`

-> login form

curl http://localhost/phpmyadmin/?`php -r 'for ($i=1; $i < 1000; $i++) 
{echo "x" . $i . "=1&";}'`

-> URI too long




More information about the Developers mailing list