PHP Hash Collision denial of service vulnerability

Description
  • This alert was generated using only banner information. It may be a false positive.

    Hash tables are a commonly used data structure in most programming languages. Web application servers or platforms commonly parse attacker-controlled POST form data into hash tables automatically, so that they can be accessed by application developers. If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request.

    Affected PHP versions (up to 5.3.8).
Remediation
  • Upgrade PHP to version 5.3.9 or higher.
References