简体中文(ZH-CN) English(EN) 繁体中文(ZH-TW) 日本語(JA) 한국어(KO) Melayu(MS) Français(FR) Deutsch(DE)
Home > Backend Development > PHP Tutorial > body text

PHP5.2.X Patch method to prevent Hash conflict denial of service attacks_PHP tutorial

WBOY
Release: 2016-07-13 17:10:33
Original
986 people have browsed it

The article analyzes the PHP5.2.X Patch method to prevent Hash conflict denial of service attacks. Friends can refer to it if necessary.


Last week, Dmitry suddenly introduced a new configuration item when 5.4 was about to be released:

Added max_input_vars directive to prevent attacks based on hash collision. The attack to be prevented is "multiple implementations denial-of-service via hash algorithm collision".

The principle of the attack is very simple. Currently, many languages ​​use hash to store k-v data, including commonly used POST data from users. Attackers can construct request headers and accompany POST with a large number of special "k" values ​​(according to The Hash algorithm of each language is different and customized), causing the Hash table at the bottom of the language to store POST data to degenerate into a linked list due to "conflicts" (collision).


In this way, if the amount of data is large enough, the language can cause a large amount of CPU usage when calculating, searching, and inserting, thereby achieving a denial of service attack.

PHP5.4 tries to avoid being affected by such attacks by adding a limit:

- max_input_vars - specifies how many GET/POST/COOKIE input variables may be accepted. default value 1000

If you are using PHP 5.2 and are threatened by such attacks, you can apply the patch below. For PHP 5.3, you can consider upgrading to 5.3.9, which already includes this patch (because 5.3.9 is currently in RC status, So if you don’t want to upgrade, you can also refer to this patch and write one yourself for 5.3):

Prevention methods

1. Cd into the PHP src run: patch -p1 < php-5.2.*-max-input-vars.patch
2. Since the latest PHP 5.3.9-RC4 has fixed this issue, so for 5.3 you can upgrade to 5.3.9RC4
Of course if you don't want to upgrade to a RC version, you can simply tweak this patch into a 5.3 suitable patch.


You can download the package at https://github.com/laruence/laruence.github.com/tree/master/php-5.2-max-input-vars

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629665.htmlTechArticleThe article analyzes the PHP5.2.X Patch method to prevent Hash conflict denial of service attacks. Friends if needed For reference. Last week, Dmitry suddenly introduced a...
just before the release of 5.4
Related labels:
hash patch about conflict analyze reject attack article method Serve of prevent
source:php.cn
Previous article:PHP-5.3.9 Remote Arbitrary Code Execution Vulnerability (CVE-2012-0830) Detailed Explanation_PHP Tutorial Next article:About PHP files containing some vulnerability analysis_PHP tutorial
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Latest Issues
<?php //Given a year, month and day, output the day of the year that the date is (note that leap year 4 100 400) <?php //Given a year, month and day, output the day of the year that the date is (no...
From 2023-11-14 23:55:21
0
1
79
Laravel 9.x: Redirect user to view success message after registration I'm trying to return a view with a success message after registering a user, which contain...
From 2023-11-12 22:55:21
0
1
336
Laravel Space/laravel-backup cannot be installed I'm trying to implement automatic backup in Laravel8. I decided to use Laravel-backup pack...
From 2023-11-10 08:57:17
0
2
224
Prevent MySQL from reading when updating I have two simple queries, one to read the table and one to update the table. How to lock ...
From 2023-11-07 18:05:53
0
1
203
Solution to error encountered when using vuelidate in quasar: "ReferenceError: process is not defined" I'm building an application using Quasar framework. For form validation I am using vuelida...
From 2023-11-07 08:36:55
0
1
243
Related Topics
More>
Popular Recommendations
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!