An attacker could launch a hash collision attack using this flaw

Jan 13, 2012 08:13 GMT  ·  By

After researchers showed how some programing language implementations and platforms were susceptible to hash collision attacks, PHP being among them, the PHP Group released PHP 5.3.9 which resolves the issue.

So far, the max_input_vars directive that mitigated hash collision attacks was present in PHP 5.4.0 RC4, but since this variant wasn’t stable, its use wasn’t a long-term solution.

Now, the max_input_vars is present in the 5.3.9 version which means that users who upgrade to this latest variant are protected against a potential attack.

Another fix that addresses a security issue refers to an integer overflow during the parsing of an invalid EXIF header. The bug could have allowed a hacker to launch a denial of service attack or read arbitrary memory.

This weakness only affected the 32 bit version.

PHP 5.3.9 / 5.4 RC5 is available for download here.