LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Critical PHP vulnerability being fixed (The H)

[Posted February 2, 2012 by jake]

The H is reporting that a critical remote code execution bug has been found in PHP that was caused by the recent fix for the widespread denial of service via hash collisions vulnerability. "The cause of the problem is the security update to PHP 5.3.9, which was written to prevent denial of service (DoS) attacks using hash collisions. To do so, the developers limited the maximum possible number of input parameters to 1,000 in php_variables.c using max_input_vars. Because of mistakes in the implementation, hackers can intentionally exceed this limit and inject and execute code. The bug is considered to be critical as code can be remotely injected over the web."
(Log in to post comments)

Critical PHP vulnerability being fixed (The H)

Posted Feb 2, 2012 22:55 UTC (Thu) by HenrikH (guest, #31152) [Link]

Why doesn't this work the other way around, i.e the web service should supply a list of which keys it supports and the "framework" should create a map of that (and perform a lookup on the incoming data from the client) instead of the "framework" creating a map of the incoming data from the client (and the service performs the lookup).

That way it could even generate a perfect hash to yield even better performance. And that is exactly how I have always coded web services in C so why does the PHP/Java/whatnot-crowd do it backwards?

Critical PHP vulnerability being fixed (The H)

Posted Feb 3, 2012 10:00 UTC (Fri) by Soroush (guest, #81798) [Link]

.. or the web application can ask web server for key "on demand" using function like get_arg() as in this C web server implementaion http://gwan.com/api#params

Critical PHP vulnerability being fixed (The H)

Posted Feb 3, 2012 0:10 UTC (Fri) by drag (subscriber, #31333) [Link]

Wow that has to be a kick in a teeth. Try to reduce your DOS surface and introduce a remote execution bug. That's really bad.

Critical PHP vulnerability being fixed (The H)

Posted Feb 3, 2012 2:43 UTC (Fri) by fimbulvetr (subscriber, #41019) [Link]

Well, to be fair, a number of distros did backport the fix without noticing the vulnerability.

Remote execution aside, sudo did just suffer a comparable issue where new code had been added but not fully vetted. The only real difference to is that I'd expect more from the sudo authors.

Ubuntu, FWIW, doesn't appear to have fixed the original 5.3.9 bug and thus those users may suffer the 5.3.9 DOSing, but hypothetically no remote execution:
https://bugs.launchpad.net/bugs/cve/2011-4885

Critical PHP vulnerability being fixed (The H)

Posted Feb 3, 2012 13:02 UTC (Fri) by RichieB (guest, #82736) [Link]

What's even worse is that this critical bug was already reported 1 day after the release of php 5.3.9. For some reason it got ignored for 3 weeks until a proof of concept code was released. See http://bugs.php.net/60708

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds