[php-maint] Bug#800564: php5: trivial hash complexity DoS attack
brian m. carlson
sandals at crustytoothpaste.net
Fri Oct 2 12:37:13 UTC 2015
On Wed, Sep 30, 2015 at 11:27:39PM +0000, brian m. carlson wrote:
> Package: php5-cli
> Version: 5.6.13+dfsg-2
> Severity: important
> Tags: security
>
> PHP uses the DJB "times 33" hash to hash strings in its hash tables,
> without the use of any secret key. Hash values are therefore the same
> between multiple invocations. As a result, it's trivial to precompute a
> set of values that all hash to the same bucket and cause positively
> abysmal performance.
>
> If a script accepts untrusted hash keys, such as from JSON input, it is
> subject to a DoS attack. PHP implemented the max_input_vars option, but
> this is not effective in the general case, especially in the era of
> JSON-laden POST requests. Perl, Python, and Ruby have all addressed
> their CVEs properly, but PHP has not and as a result is still
> vulnerable.
It was pointed out to me that I should mention which CVEs apply here for
reference.
Python had CVE-2012-1150 and CVE-2013-7040. Ruby had CVE-2011-4815. I
can't find a CVE for Perl's 2003 fix, if one exists. The fix, which
went into 5.8, was incomplete and was addressed by CVE-2013-1667.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20151002/d5e3e4df/attachment.sig>
More information about the pkg-php-maint
mailing list