cbcvebase.
CVE-2011-4885
published 2011-12-30

CVE-2011-4885: PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers…

PriorityP346medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
83.91%
99.7th percentile
PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

Affected

40 ranges· showing 25
VendorProductVersion rangeFixed in
drupaldrupal
phpphp<= 5.3.8
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://infodox.co.cc/Downloads/phpdos.txt
urlhttps://github.com/FireFart/HashCollision-DOS-POC
commandpython HashtablePOC.py -u https://host/index.php -v -c 500 -t PHP
  • Detect CVE-2011-4885 exploitation by monitoring for HTTP POST requests containing an abnormally large number of form parameters with hash-colliding keys, causing sustained CPU consumption on the server.
  • The exploit sends POST requests with Content-Type: application/x-www-form-urlencoded containing a large payload of hash-colliding parameter names; inspect POST body size approaching PHP's 8MB default limit (max_input_vars / post.max_vars) as an indicator.
  • The PoC generates random payload keys to bypass IDS signatures; detection should focus on statistical anomalies in POST parameter counts rather than fixed key patterns.
  • PHP installations using Suhosin with mbstring.encoding_translation enabled may not correctly limit POST variable counts, leaving the server exposed even with Suhosin deployed; verify mbstring.encoding_translation is Off.
  • PHP's newly introduced directive 'max_input_vars' (added in 5.3.9) can be used to limit the number of POST variables processed; absence of this limit on PHP < 5.3.9 is a key indicator of exposure.
  • ·The fix introduced in PHP 5.3.9 (max_input_vars) was itself incomplete; CVE-2012-0830 describes a follow-on RCE vulnerability in php_register_variable_ex due to an incorrect fix for CVE-2011-4885, so patching to exactly 5.3.9 is insufficient.
  • ·Suhosin's post.max_vars mitigation is bypassed when mbstring.encoding_translation is enabled, causing only every other POST variable to be counted by Suhosin; this configuration must be corrected for Suhosin-based defenses to be effective.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.