The news yesterday showed that many language versions, including PHP, Java, and Ruby, were currently vulnerable, and the PHP official development Group, Laruence (Sina Weibo), said an attacker could implement a denial-of-service attack by constructing a hash conflict and provide an example. This attack method is very dangerous, the attack cost is also very small, a desktop can easily bring down dozens of units, hundreds of servers.
This vulnerability, the equivalent of a random attacker can be DDoS off most of the world's Web sites! The level of damage is definitely a nuclear bomb. Therefore, the PHP official development team issued an emergency patch, please repair as soon as possible.
In PHP, <= 5.3.8, all versions of <= 5.4.0RC3 are affected by this vulnerability. The PHP 5.3.9 and PHP 5.4.0 already contain patches for this vulnerability, but because two versions are still in the RC state, they cannot be used for production server upgrades. As for PHP 5.2, the official development group said it would not release the new version for this vulnerability.
The official current solution is to give your PHP environment a patch,5.2 and 5.3 to use. Patch address is as follows:
Https://github.com/laruence/laruence.github.com/tree/master/php-5.2-max-input-vars
How to use:
1. CD to PHP src, run: patch-p1 < Php-5.2.*-max-input-vars.patch
2. The latest PHP 5.3.9-RC4 has fixed this vulnerability and 5.3 of users can upgrade directly to 5.3.9-RC4.
Of course, if you do not want to update to an RC version, you can also easily modify the above patch, applied to the corresponding version of 5.3.
Laruence also suggest other languages such as Java, Ruby, etc., please also anticipate a good countermeasure, limit the post_size is a palliative method, but can be used to do temporary solutions.
Interim Solution Reference : http://www.54chen.com/php-tech/hashdos.html
In addition, Microsoft has also issued an emergency update to fix the vulnerability on the asp.net:
Http://netsecurity.51cto.com/art/201112/310628.htm
Query list
The affected languages and versions that are currently known are:
Java, all versions
JRuby <= 1.6.5
PHP <= 5.3.8, <= 5.4.0rc3
Python, all versions
Rubinius, all versions
Ruby <= 1.8.7-p356
Apache Geronimo, all versions
Apache Tomcat <= 5.5.34, <= 6.0.34, <= 7.0.22
Oracle Glassfish <= 3.1.1
Jetty, all versions
Plone, all versions
Rack, all versions
V8 JavaScript Engine, all versions
Languages not affected by this or repaired versions of the language are:
PHP >= 5.3.9, >= 5.4.0RC4
JRuby >= 1.6.5.1
Ruby >= 1.8.7-p357, 1.9.x
Apache Tomcat >= 5.5.35, >= 6.0.35, >= 7.0.23
Oracle Glassfish, N/A (Oracle reports that the issue are fixed in the main codeline and scheduled for A future CPU)
cve:cve-2011-4885 (PHP), cve-2011-4461 (Jetty), cve-2011-4838 (JRuby), cve-2011-4462 (Plone), cve-2011-4815 (Ruby)