Sunday, March 04, 2007

Another Quick Release

There has been another quick release from one of Open Source application today. This time is PHPMyAdmin who has fixed a possible deep recursion attack after MoPB (Month of PHP Bugs) has released a summary of a bug in PHP application and the example being used is PHPMyAdmin. The Security team of PHPMyAdmin does a quick research and they have released PHPMyAdmin and also offer a patch from their websites (see Security Note PMASA-2007-3 for more detail).

Again i decided to download the patch and apply the patch manually, because it's very small and it only affecting 1 file, libraries/common.lib.php. Find this function: function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false) and then change the content into :

* calls $function for every element in $array recursively
* this function is protected against deep recursion attack CVE-2006-1549,
* 1000 seems to be more than enough
* @see
* @see
function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false)
static $recursive_counter = 0;
if (++$recursive_counter > 1000) {
die('possible deep recursion attack');

foreach ($array as $key => $value) {
if (is_array($value)) {
PMA_arrayWalkRecursive($array[$key], $function, $apply_to_keys_also);
} else {
$array[$key] = $function($value);

if ($apply_to_keys_also && is_string($key)) {
$new_key = $function($key);
if ($new_key != $key) {
$array[$new_key] = $array[$key];


Don't forget to change the version in Config.class.php into and you're done with PHPMyAdmin. It has reflected the latest version.

In my opinion, it's not completely PHP's fault. We as the developer should also give this kind of protection to our application because the resources are limited, so we should try not to pass that limit. Actually this kind of attack not only affecting PHPMyAdmin, but also other application which uses recursive array function like what PHPMyAdmin had, so better check your application now before it's too late.