Home >Backend Development >PHP Tutorial >PHP5.2.X Patch method to prevent Hash conflict denial of service attacks_PHP tutorial

PHP5.2.X Patch method to prevent Hash conflict denial of service attacks_PHP tutorial

WBOY
WBOYOriginal
2016-07-13 17:10:331042browse

The article analyzes the PHP5.2.X Patch method to prevent Hash conflict denial of service attacks. Friends can refer to it if necessary.


Last week, Dmitry suddenly introduced a new configuration item when 5.4 was about to be released:

Added max_input_vars directive to prevent attacks based on hash collision. The attack to be prevented is "multiple implementations denial-of-service via hash algorithm collision".

The principle of the attack is very simple. Currently, many languages ​​use hash to store k-v data, including commonly used POST data from users. Attackers can construct request headers and accompany POST with a large number of special "k" values ​​(according to The Hash algorithm of each language is different and customized), causing the Hash table at the bottom of the language to store POST data to degenerate into a linked list due to "conflicts" (collision).


In this way, if the amount of data is large enough, the language can cause a large amount of CPU usage when calculating, searching, and inserting, thereby achieving a denial of service attack.

PHP5.4 tries to avoid being affected by such attacks by adding a limit:

- max_input_vars - specifies how many GET/POST/COOKIE input variables may be accepted. default value 1000

If you are using PHP 5.2 and are threatened by such attacks, you can apply the patch below. For PHP 5.3, you can consider upgrading to 5.3.9, which already includes this patch (because 5.3.9 is currently in RC status, So if you don’t want to upgrade, you can also refer to this patch and write one yourself for 5.3):

Prevention methods

1. Cd into the PHP src run: patch -p1 < php-5.2.*-max-input-vars.patch
2. Since the latest PHP 5.3.9-RC4 has fixed this issue, so for 5.3 you can upgrade to 5.3.9RC4
Of course if you don't want to upgrade to a RC version, you can simply tweak this patch into a 5.3 suitable patch.


You can download the package at https://github.com/laruence/laruence.github.com/tree/master/php-5.2-max-input-vars

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629665.htmlTechArticleThe article analyzes the PHP5.2.X Patch method to prevent Hash conflict denial of service attacks. Friends if needed For reference. Last week, Dmitry suddenly introduced a...
just before the release of 5.4
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn