On Wed, Sep 30, 2015 at 11:27:39PM +0000, brian m. carlson wrote: > Package: php5-cli > Version: 5.6.13+dfsg-2 > Severity: important > Tags: security > > PHP uses the DJB "times 33" hash to hash strings in its hash tables, > without the use of any secret key. Hash values are therefore the same > between multiple invocations. As a result, it's trivial to precompute a > set of values that all hash to the same bucket and cause positively > abysmal performance. > > If a script accepts untrusted hash keys, such as from JSON input, it is > subject to a DoS attack. PHP implemented the max_input_vars option, but > this is not effective in the general case, especially in the era of > JSON-laden POST requests. Perl, Python, and Ruby have all addressed > their CVEs properly, but PHP has not and as a result is still > vulnerable.
It was pointed out to me that I should mention which CVEs apply here for reference. Python had CVE-2012-1150 and CVE-2013-7040. Ruby had CVE-2011-4815. I can't find a CVE for Perl's 2003 fix, if one exists. The fix, which went into 5.8, was incomplete and was addressed by CVE-2013-1667. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: PGP signature
