PHP Release Fixes Hash DoS

Thursday, January 12, 2012 @ 04:01 PM gHale


PHP developers released PHP 5.3.9 which includes the ability to limit the number of input parameters in HTTP requests.

This is important because the fix addresses the denial of service (DoS) attack issue presented at the 28th Chaos Communication Congress and has led to fixes going out to web servers, frameworks and languages.

RELATED STORIES
Chrome 17 Hikes Speed, Security
OpenSSL Offering Patches 6 Flaws
Google Looks at HTTPS Security
Google Fixes Chrome Hole, Again

The underlying flaw is it is possible to make hashes collide and force a system to spend much more CPU time reordering hashed data structures. That flaw will still exist, but by setting the max_input_vars directive to a suitably low value, it makes it impossible to send sufficient parameters to trigger that problem. Another denial of service fix in 5.3.9 addresses an integer overflow when processing EXIF headers in JPEG files.

The release also contains numerous non-security-related fixes to areas including garbage collection, memory management, DateTime, PHP-FPM SAPI and SOAP.

The developers describe key enhancements that include stopping the is_a function triggering autoload and allowing mysqlnd to be built shared. A full list of the changes can be found in the change log and the updated source code is available from the download page. Windows binaries for 5.3.9 are also available. Developers suggest all PHP users to upgrade to 5.3.9.

In other PHP developments, the fifth release candidate of PHP 5.4.0 is out. The first release candidate came out November 2011. The developers expect another release candidate, which they hope will be “probably the last release candidate”, to release around January 21.



Leave a Reply

You must be logged in to post a comment.