This is a mirror of official site: http://jasper-net.blogspot.com/

PHP Vulnerability May Halt Millions of Servers

| Tuesday, January 17, 2012
Contents
What is the Hash Collision Vulnerability?
What You Can do to Prevent eventual Attacks?
Shall I Upgrade my installed PHP version?
What if I Cannot Upgrade my installed PHP Version?
Protect your PHP installation with the Suhosin extension
Conclusion

What is the Hash Collision Vulnerability?

Arrays are very popular data types in PHP and any other scripting languages. These are data types that allow you to store a variable number of entries of any type. You can store as many entries in array as you want. This is the main problem of a vulnerability known as Hash Collision.

In PHP and several other languages used to implement Web applications, arrays are used to store the values of request variables such as $_GET, $_POST, $COOKIE, etc.. IF you receive a request with a large number of request values, until recent versions PHP may run into trouble.

Let me explain superficially what is the problem. The PHP runtime engine that implemented is in C reads the HTTP request data and builds arrays to store request variables. This happens even before any PHP code starts being executed.

In C and other languages, arrays are implemented as data structures called hash tables. In simplistic terms, hash tables are arrays of linked lists of entries. These arrays have a fixed size.

Every time you want to add a new entry to an hash table you need to compute an hash value for the new array entry key. That hash value is an integer value that determines into which linked list the new array entry will be added.

Once the hash table code determines into which linked list the new entry belongs, it determines if there is already an entry with the same array key in that linked list. If there is no entry with the same key value, the new array entry value is added to the linked list. Otherwise, the new entry value will replace the old entry with the same key.

This is a process that it is reasonably fast if the number of entries in the array is relatively small. However, if the array has a very large number of entries the performance of inserting new entries starts degrading.

This problem can be seriously aggravated if the values of the keys to be added in the array have the same hash value, meaning they will be added to the same linked list.

What some security researchers have found is a way to easily determine a large number of arrays keys that can be used to craft an HTTP request with many request variables (GET, POST, COOKIE, etc..) that can make PHP take hours or maybe more to handle a single HTTP request just by making PHP consume all the CPU it gets to build the request variable arrays.

This means that with even a relatively small number of requests an attacker may make PHP consume all the CPU it gets until the machine practically halts, unless something kills the affected PHP processes.

As mentioned, other languages are also affected by this problem because they use similar hash table algorithms. The matter of PHP is actually worse because PHP is an extremely popular Web programming language. According to the researchers, 77% of the Web servers run PHP.

Despite this explanation is already very technical, it is still a bit simplistic. If you want to know more about the low level details, you may want to watch this video of a conference on which the security researchers have presented the vulnerability

Read more: PHP Classes blog
QR: 171-PHP-Vulnerability-May-Halt-Millions-of-Servers.html

Posted via email from Jasper-net

0 comments: