The PHP Group Information for VU#903934
Hash table implementations vulnerable to algorithmic complexity attacks
- Vendor Information Help Date Notified:
- Statement Date:
- Date Updated: 28 Dec 2011
Status
Affected
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
According to the n.runs AG advisory:
"PHP 5 uses the DJBX33A (Dan Bernstein's times 33, addition) hash function and parses POST form data into the $_POST hash table. Because of the structure of the hash function, it is vulnerable to an equivalent substring attack."
From the Workarounds section:
"The easiest way to reduce the impact of such an attack is to reduce the CPU time that a request is allowed to take. For PHP, this can be configured using the max_input_time parameter."
PHP 5.4.0 RC4 has been released which adds a max_input_vars directive to help mitigate hash collision attacks. Please note that this is a release candidate, not a stable release.
Vendor References
http://www.php.net/archive/2011.php#id2011-12-25-1
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.