Brian M. Carlson reported the following flaw in PHP:
PHP uses the DJB "times 33" hash to hash strings in its hash tables, without the use of any secret key. Hash values are therefore the same between multiple invocations. As a result, it's trivial to precompute a set of values that all hash to the same bucket and cause positively abysmal performance.
If a script accepts untrusted hash keys, such as from JSON input, it is subject to a DoS attack. PHP implemented the max_input_vars option, but this is not effective in the general case, especially in the era of JSON-laden POST requests. Perl, Python, and Ruby have all addressed their CVEs properly, but PHP has not and as a result is still vulnerable.
Original report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800564
Additional information:
https://github.com/bk2204/php-hash-dos
Comment 3Huzaifa S. Sidhpurwala
2016-08-03 07:16:45 UTC
There is no activity on this upstream and it seems unlikely that it will be picked up any soon. Upstream strongly suggests validating all inputs via the PHP application before loading them into such data structures. (such as hash tables).