Source: cve@mitre.org
PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
PHP versions prior to 5.3.9 are vulnerable to a denial-of-service (DoS) attack. Attackers can exploit a flaw in how PHP handles hash collisions in form parameters, leading to excessive CPU consumption and potentially rendering web applications unresponsive.
Step 1: Payload Creation: The attacker crafts an HTTP POST request containing a large number of form parameters. These parameters are designed to collide within PHP's internal hash table. This is achieved by carefully selecting parameter names that, when passed through PHP's hash function, produce the same hash value.
Step 2: Request Submission: The attacker submits the crafted HTTP POST request to the vulnerable PHP application.
Step 3: Hash Collision Trigger: The PHP interpreter receives the request and begins processing the form parameters. Due to the crafted parameter names, numerous hash collisions occur within the hash table used to store the form data.
Step 4: CPU Exhaustion: During hash table lookups, the server must compare the hash of the parameter name with each entry in the bucket where collisions have occurred. The large number of collisions results in a significant increase in CPU usage.
Step 5: Denial of Service: The excessive CPU consumption can lead to a denial-of-service condition, making the web application unresponsive to legitimate user requests.
The vulnerability stems from PHP's implementation of hash table lookups for processing form parameters. Specifically, the hash function used to map parameter names to their storage locations is susceptible to hash collisions. An attacker can craft a request with numerous parameters designed to collide within the hash table. This forces the server to perform a large number of comparisons during hash table lookups, consuming significant CPU resources. The lack of a mechanism to mitigate or prevent these collisions allows for a DoS condition. The root cause is the predictable nature of the hash function combined with the lack of collision resistance, enabling attackers to control the hash values and force collisions.
While no specific APT groups are exclusively known for exploiting this vulnerability, it is a common attack vector used in conjunction with other vulnerabilities. This vulnerability is not listed on the CISA KEV catalog, likely due to its age and the prevalence of patched versions.
High CPU utilization on the web server, particularly during periods of high traffic.
Unusually long response times for web requests.
Monitoring web server access logs for suspicious POST requests with a large number of parameters (e.g., hundreds or thousands).
Network traffic analysis looking for POST requests with a high volume of parameters, potentially with repetitive or crafted parameter names.
Web application firewall (WAF) alerts triggered by requests with excessive parameters or suspicious patterns.
Upgrade PHP to version 5.3.9 or later. This is the primary and most effective remediation.
Implement a Web Application Firewall (WAF) to filter malicious requests. Configure the WAF to limit the number of parameters accepted in a single request.
Rate-limit requests from individual IP addresses to prevent abuse.
Monitor server resource usage (CPU, memory, disk I/O) to detect unusual spikes.
Consider using a different hash function or a more collision-resistant hash algorithm if possible, though this is not a direct configuration option in PHP itself.