14 DAY TRIAL // After the PHP Group fixed the hash collision issue by releasing a patch to mitigate attacks, the fix turned out to be problematic, experts identifying a remote code execution vulnerability. Now, it turns out that the same variant opened up the possibility of a new class of HTTP header attacks.
Stefan Esser, the security expert that found the remote code execution flaw, is the one that uncovered this second issue.
[admark=1]He believes that the max_input_vars variable that was initially limited to a maximum number of 1,000 to mitigate hash collision attacks, allows the identification of 32-bit and 64-bit operating systems thus introducing the possibility of this new type of HTTP header attack that eventually leads to remote code execution.
“Due to the new max_input_vars feature there is now the possibility to abuse an older problem in the code to detect with a single HTTP request if the remote system is running a 32 bit or a 64 bit PHP. Knowing this is not a critical security problem, but it allows attackers of remote memory corruption vulnerabilities to better prepare for the target,” Esser said.
While the issue affects nearly all PHP applications, Esser claims that Suhosin Extension users are safe from this max_input_vars "32bit vs 64 bit detection” issue and a new feature will be added to protect against HTTP header attacks.
The problems with PHP and hash collision attacks began at the end of December 2011 when a couple of researchers showed at the 28C3 Chaos Communication Congress in Berlin, Germany, that most programming languages such as PHP, Java, Apache Tomcat, ASP.NET, Phyton, Plone, Ruby and V8 are susceptible to DoS attacks because of the way they use hash tables.
After the flaws were revealed, most developers rushed to publish workarounds and patches, but as it turns out, the solutions with which the PHP Group initially came forward weren’t the best.