(LiveHacking.Com) – The PHP development team have released PHP 5.3.10 to fix a recently discovered remote code execution vulnerability. The vulnerability is a result of the hash table collisions CPU usage denial-of-service fix which was added to 5.3.9. For that fix the maximum possible number of input parameters was limited to 1000, but because of a bug in the implementation a remote attacker could send a large number of specially crafted POST requests, which could crash PHP or allow arbitrary code execution.
PHP 5.3.9 was released just over two weeks ago with over 90 bug fixes, some of which were security related. Among them was a fix for the hash table collisions problem that affected all the popular Web programming languages (including PHP, ASP.NET, Ruby and Python). At the end of last year, Alexander Klink and Julian Wälde revealed that many programming languages use hash tables while parsing POST forms to make them easily accessible by application developers. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request. So it is possible for an attacker to send a small number of specially crafted posts to a server, causing high CPU utilization and creating a denial of service condition. PHP 5.3.10 fixes the fix for the fix!
The new version of PHP can be downloaded here and it is recommended that all users to upgrade to the new version. The different Linux distributions have started to update their repositories:
- Debian Squeeze update announcement is here: http://lists.debian.org/debian-security-announce/2012/msg…
- RHEL 4, 5 and 6 updates are here: https://rhn.redhat.com/errata/RHSA-2012-0093.html
- And details of the php53 packages for RHEL5 is here: https://rhn.redhat.com/errata/RHSA-2012-0092.html