[php-maint] Bug#800564: php5: trivial hash complexity DoS attack

brian m. carlson sandals at crustytoothpaste.net
Fri Oct 2 12:37:13 UTC 2015

On Wed, Sep 30, 2015 at 11:27:39PM +0000, brian m. carlson wrote:
> Package: php5-cli
> Version: 5.6.13+dfsg-2
> Severity: important
> Tags: security
> PHP uses the DJB "times 33" hash to hash strings in its hash tables,
> without the use of any secret key.  Hash values are therefore the same
> between multiple invocations.  As a result, it's trivial to precompute a
> set of values that all hash to the same bucket and cause positively
> abysmal performance.
> If a script accepts untrusted hash keys, such as from JSON input, it is
> subject to a DoS attack.  PHP implemented the max_input_vars option, but
> this is not effective in the general case, especially in the era of
> JSON-laden POST requests.  Perl, Python, and Ruby have all addressed
> their CVEs properly, but PHP has not and as a result is still
> vulnerable.

It was pointed out to me that I should mention which CVEs apply here for

Python had CVE-2012-1150 and CVE-2013-7040.  Ruby had CVE-2011-4815.  I
can't find a CVE for Perl's 2003 fix, if one exists.  The fix, which
went into 5.8, was incomplete and was addressed by CVE-2013-1667.
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20151002/d5e3e4df/attachment.sig>

More information about the pkg-php-maint mailing list