PHP Hash Collision denial of service vulnerability

Description
  • <div class="bb-coolbox"><span class="bb-dark">This alert was generated using only banner information. It may be a false positive. </span></div><br/> Hash tables are a commonly used data structure in most programming languages. Web application servers or platforms commonly parse attacker-controlled POST form data into hash tables automatically, so that they can be accessed by application developers. If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request. <br/><br/><span class="bb-navy">Affected PHP versions (up to 5.3.8).</span><br/>
Remediation
  • Upgrade PHP to version 5.3.9 or higher.
References