Researchers showed that some programing language implementations didn’t sufficiently randomize their hash functions or provide means to limit key collision attacks. Among the ones affected by this issue is PHP 5.
“PHP 5 uses the DJBX33A (Dan Bernstein's times 33, addition) hash function and parses POST form data into the $_POST hash table. Because of the structure of the hash function, it is vulnerable to an equivalent substring attack,” reads the n.runs AG advisory.
The PHP Group didn’t release an official statement regarding the issue, but PHP 5.4.0 RC4 adds a max_input_vars directive to help mitigate hash collision attacks. However, this release is not stable.
Until the vendor responds, users are advised to limit the CPU time that a request is allowed to take by configuring the max_input_time parameter. Another way to mitigate an attack is to limit the maximal POST size.
Those who use Suhosin, the open source patch for PHP that comes with some security improvements, can use suhosin.post.max_vars to define the maximum number of variables that may be registered through a POST request.
Other web programing languages and applications are also susceptible to a similar DoS attack. Learn how this is possible.
PHP 5.3.8 / 5.4.0 RC4 is available for download here.