PHP 5.2/5.3 Hash Vulnerability patch Release

The news yesterday showed that many language versions, including PHP, Java, and Ruby, were currently vulnerable, and the PHP official development Group, Laruence (Sina Weibo), said an attacker could implement a denial-of-service attack by constructing a hash conflict and provide an example. This attack method is very dangerous, the attack cost is also very small, a desktop can easily bring down dozens of units, hundreds of servers.

This vulnerability, the equivalent of a random attacker can be DDoS off most of the world's Web sites! The level of damage is definitely a nuclear bomb. Therefore, the PHP official development team issued an emergency patch, please repair as soon as possible.

In PHP, <= 5.3.8, all versions of <= 5.4.0RC3 are affected by this vulnerability. The PHP 5.3.9 and PHP 5.4.0 already contain patches for this vulnerability, but because two versions are still in the RC state, they cannot be used for production server upgrades. As for PHP 5.2, the official development group said it would not release the new version for this vulnerability.

　　

The official current solution is to give your PHP environment a patch,5.2 and 5.3 to use. Patch address is as follows:

Https://github.com/laruence/laruence.github.com/tree/master/php-5.2-max-input-vars

How to use:

1. CD to PHP src, run: patch-p1 < Php-5.2.*-max-input-vars.patch

2. The latest PHP 5.3.9-RC4 has fixed this vulnerability and 5.3 of users can upgrade directly to 5.3.9-RC4.

Of course, if you do not want to update to an RC version, you can also easily modify the above patch, applied to the corresponding version of 5.3.

Laruence also suggest other languages such as Java, Ruby, etc., please also anticipate a good countermeasure, limit the post_size is a palliative method, but can be used to do temporary solutions.

　　Interim Solution Reference : http://www.54chen.com/php-tech/hashdos.html

In addition, Microsoft has also issued an emergency update to fix the vulnerability on the asp.net:

Http://netsecurity.51cto.com/art/201112/310628.htm

Query list

The affected languages and versions that are currently known are:

Java, all versions

JRuby <= 1.6.5

PHP <= 5.3.8, <= 5.4.0rc3

Python, all versions

Rubinius, all versions

Ruby <= 1.8.7-p356

Apache Geronimo, all versions

Apache Tomcat <= 5.5.34, <= 6.0.34, <= 7.0.22

Oracle Glassfish <= 3.1.1

Jetty, all versions

Plone, all versions

Rack, all versions

V8 JavaScript Engine, all versions

Languages not affected by this or repaired versions of the language are:

PHP >= 5.3.9, >= 5.4.0RC4

JRuby >= 1.6.5.1

Ruby >= 1.8.7-p357, 1.9.x

Apache Tomcat >= 5.5.35, >= 6.0.35, >= 7.0.23

Oracle Glassfish, N/A (Oracle reports that the issue are fixed in the main codeline and scheduled for A future CPU)

cve:cve-2011-4885 (PHP), cve-2011-4461 (Jetty), cve-2011-4838 (JRuby), cve-2011-4462 (Plone), cve-2011-4815 (Ruby)