PHP Hash Collision denial of service vulnerability

Description

This alert was generated using only banner information. It may be a false positive.

Hash tables are a commonly used data structure in most programming languages. Web application servers or platforms commonly parse attacker-controlled POST form data into hash tables automatically, so that they can be accessed by application developers. If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request.

Affected PHP versions (up to 5.3.8).

Remediation

Upgrade PHP to version 5.3.9 or higher.

References
Severity
Classification
Tags
  • Denial Of Service