Bug 1269110 - php: hash table collisions CPU usage DoS
Summary: php: hash table collisions CPU usage DoS
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1269112
Blocks: 1269113
TreeView+ depends on / blocked
 
Reported: 2015-10-06 11:27 UTC by Martin Prpič
Modified: 2019-09-29 13:37 UTC (History)
15 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-08-03 07:16:45 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
PHP Bug Tracker 70644 0 None None None 2015-12-17 21:01:10 UTC

Description Martin Prpič 2015-10-06 11:27:55 UTC
Brian M. Carlson reported the following flaw in PHP:

PHP uses the DJB "times 33" hash to hash strings in its hash tables, without the use of any secret key. Hash values are therefore the same between multiple invocations. As a result, it's trivial to precompute a set of values that all hash to the same bucket and cause positively abysmal performance.

If a script accepts untrusted hash keys, such as from JSON input, it is subject to a DoS attack. PHP implemented the max_input_vars option, but this is not effective in the general case, especially in the era of JSON-laden POST requests. Perl, Python, and Ruby have all addressed their CVEs properly, but PHP has not and as a result is still vulnerable.

Original report:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800564

Additional information:

https://github.com/bk2204/php-hash-dos

Comment 1 Martin Prpič 2015-10-06 11:31:03 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1269112]

Comment 2 Tomas Hoger 2015-12-17 21:01:11 UTC
Upstream bug report:

https://bugs.php.net/bug.php?id=70644

Ways to fix this issue are still being investigated.

Comment 3 Huzaifa S. Sidhpurwala 2016-08-03 07:16:45 UTC
There is no activity on this upstream and it seems unlikely that it will be picked up any soon. Upstream strongly suggests validating all inputs via the PHP application before loading them into such data structures. (such as hash tables).


Note You need to log in before you can comment on or make changes to this bug.