PHP5.2.X Patch method to prevent Hash conflicts and DoS attacks. This article analyzes the Patch method of PHP5.2.X to prevent Hash conflict denial of service (DoS) attacks. if you need it, please refer to it. Last week, when Dmitry was launched in 5.4, he introduced an article to analyze the Patch method for preventing Hash conflict denial of service (DoS) attacks in PHP5.2.X. if you need it, please refer to it.
Last week, Dmitry suddenly introduced a new configuration item when 5.4 was released:
Added max_input_vars directive to prevent attacks based on hash collision, it is the "denial of service (DoS) vulnerability in various languages by calling Hash conflicts" (multiple implementations denial-of-service via hash algorithm collision ).
The attack principle is very simple. Currently, many languages use hash to store k-v data, including frequently used POST data from users. attackers can construct request headers, with a large number of special "k" values in POST (customized based on the Hash algorithm of each language), the Hash table storing POST data at the underlying layer of the language is "conflicted" (collision) it degrades to a linked list.
In this way, if the data size is large enough, the language can be used for computing, searching, and inserting, resulting in a large amount of CPU usage, thus implementing DoS attacks.
PHP5.4 tries to avoid the impact of such attacks by adding a limit:
-Max_input_vars-specifies how many GET/POST/COOKIE input variables may be accepted. default value 1000
If you use 5.2 of these patches, you can use the patch above and PHP5.3 to upgrade to 5.3.9. This patch is already included (because 5.3.9 is currently in the RC status, therefore, if you do not want to upgrade, you can also refer to this patch to write one for 5.3 ):
Preventive measures
1. Cd into the PHP src run: patch-p1 <php-5.2. *-max-input-vars.patch
2. Since the latest PHP 5.3.9-RC4 has fixed this issue, so for 5.3 you can upgrade to 5.3.9RC4
Of course if you don't want to upgrade to a RC version, you can simply tweak this patch into a 5.3 suitable patch.
You can go to workshop
Bytes. Last week, when Dmitry was launched in 5.4, it introduced...