phpMyAdmin

Tracker: Bugs

1 (ok 2.10.0.2) CVE-2006-1549 deep recursion crash - ID: 1671813

Last Update: Comment added ( cybot_tm )

Details:

PHP is affected by a deep recursion crash

http://www.php-security.org/MOPB/MOPB-02-2007.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549

phpMyAdmin will try to limit recursion on arrays supplied by users, so to
make it impossible use this as an attack

Submitted:

Sebastian Mendel ( cybot_tm ) - 2007-03-01 16:02

Priority:

Status:

Closed

Resolution:

Fixed

Assigned:

Sebastian Mendel

Category:

Security / Restrictions

Group:

None

Visibility:

Public

Comments ( 9 )

Date: 2007-03-26 06:36 Sender: cybot_tm fixed the typo in trunk (2.11) no need to backport - 500 should still be enough for all external variables (COOKIE, REQUEST, GET, POST)
Date: 2007-03-26 06:15 Sender: cybot_tm not 1000 but 500! caused by a typo, it should be written $recursive_counter--; instead of $recursive_counter++; but this does not require a parameter - a waste of resources - with 500 recursive calls you will also have 500 variables of name $recursive_counter - but with being this one static it will always be only one! but thanks anyway - it showed me the typo
Date: 2007-03-25 13:23 Sender: blueyed Please note that this limits the calls to 1000 in total and not to 1000 per call. IMHO, a better approach to this would be to use a function param $recursive_counter for PMA_arrayWalkRecursive() instead of a static var: Patch against "stable" tag: Index: libraries/common.lib.php =================================================================== --- libraries/common.lib.php (Revision 10193) +++ libraries/common.lib.php (Arbeitskopie) @@ -274,17 +274,18 @@ * * @param array $array array to walk * @param string $function function to call for every array element + * @param boolean $apply_to_keys_also + * @param integer $recursive_counter Internal recursive counter / -function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false) +function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false, $recursive_counter = 0) { - static $recursive_counter = 0; - if (++$recursive_counter > 1000) { - die('possible deep recursion attack'); - } + if ($recursive_counter > 1000) { + die('Fatal error: possible deep recursion attack'); + } foreach ($array as $key => $value) { if (is_array($value)) { - PMA_arrayWalkRecursive($array[$key], $function, $apply_to_keys_also); + PMA_arrayWalkRecursive($array[$key], $function, $apply_to_keys_also, ++$recursive_counter); } else { $array[$key] = $function($value); } @@ -297,7 +298,6 @@ } } } - $recursive_counter++; } /*
Date: 2007-03-02 17:24 Sender: lem9 File Added: PMASA-2007-3-for-2.10.0.1.patch
Date: 2007-03-02 16:02 Sender: cybot_tm File Added: protect_against_deep_recursion_2.9.patch
Date: 2007-03-02 16:02 Sender: cybot_tm File Added: protect_against_deep_recursion_2.10.patch
Date: 2007-03-02 16:01 Sender: cybot_tm File Added: protect_against_deep_recursion.patch
Date: 2007-03-02 14:20 Sender: cybot_tm File Added: protect_against_deep_recursion_2.9.patch
Date: 2007-03-02 14:20 Sender: cybot_tm File Added: protect_against_deep_recursion_2.10.patch

Attached Files ( 4 )

Filename	Description	Download
protect_against_deep_recursion.patch	patch against trunk head	Download
protect_against_deep_recursion_2.10.patch	patch against 2.10	Download
protect_against_deep_recursion_2.9.patch	patch against 2.9	Download
PMASA-2007-3-for-2.10.0.1.patch	PMASA-2007-3-for-2.10.0.1.patch	Download

Changes ( 16 )

Field	Old Value	Date	By
close_date	-	2007-03-14 12:51	cybot_tm
status_id	Open	2007-03-14 12:51	cybot_tm
summary	CVE-2006-1549 deep recursion crash	2007-03-02 18:27	lem9
resolution_id	None	2007-03-02 18:27	lem9
priority	5	2007-03-02 18:27	lem9
assigned_to	nobody	2007-03-02 17:29	lem9
File Added	218541: PMASA-2007-3-for-2.10.0.1.patch	2007-03-02 17:24	lem9
File Added	218530: protect_against_deep_recursion_2.9.patch	2007-03-02 16:02	cybot_tm
File Added	218529: protect_against_deep_recursion_2.10.patch	2007-03-02 16:02	cybot_tm
File Added	218528: protect_against_deep_recursion.patch	2007-03-02 16:01	cybot_tm
File Deleted	218365:	2007-03-02 16:01	cybot_tm
File Deleted	218512:	2007-03-02 16:01	cybot_tm
File Deleted	218513:	2007-03-02 16:01	cybot_tm
File Added	218513: protect_against_deep_recursion_2.9.patch	2007-03-02 14:20	cybot_tm
File Added	218512: protect_against_deep_recursion_2.10.patch	2007-03-02 14:20	cybot_tm
File Added	218365: protect_against_deep_recursion.patch	2007-03-01 16:02	cybot_tm

phpMyAdmin

Tracker: Bugs

Comments ( 9 )

Attached Files ( 4 )

Changes ( 16 )

About SourceForge

Find Software

Develop Software

Community

Help