[nycphp-talk] Hash Table Vulnerability in PHP5
Hans C. Kaspersetz
hans at cyberxdesigns.com
Thu Dec 29 11:19:33 EST 2011
Good morning,
I hope everyone has seen the news about the Hash Table Vulnerability in lots
of web scripting languages. You can read about it here:
http://www.securityweek.com/hash-table-collision-attacks-could-trigger-ddos-
massive-scale or here http://www.kb.cert.org/vuls/id/903934.
It looks like PHP has addressed the issue
(http://www.php.net/archive/2011.php#id2011-12-25-1) by providing a max var
directive in the latest RC5 for 5.4.0. However, with all release candidates
they are strongly advising against using it in production.
What is the general consensus for mitigating this risk without moving to
RC5?
We are limiting the execution time of our scripts, however for upload
scripts or processing intensive scripts we need to increase the execution
time which I image would leave those scripts more vulnerable.
Thanks,
Hans Kaspersetz
Cyber X Designs
http://cyberxdesigns.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20111229/8210cb38/attachment.html>
More information about the talk
mailing list