CVE-2011-4885
published 2011-12-30CVE-2011-4885: PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers…
PriorityP346medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
83.91%
99.7th percentile
PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Affected
40 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | drupal | — | — |
| php | php | <= 5.3.8 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect CVE-2011-4885 exploitation by monitoring for HTTP POST requests containing an abnormally large number of form parameters with hash-colliding keys, causing sustained CPU consumption on the server. ↗
- →The exploit sends POST requests with Content-Type: application/x-www-form-urlencoded containing a large payload of hash-colliding parameter names; inspect POST body size approaching PHP's 8MB default limit (max_input_vars / post.max_vars) as an indicator. ↗
- →The PoC generates random payload keys to bypass IDS signatures; detection should focus on statistical anomalies in POST parameter counts rather than fixed key patterns. ↗
- →PHP installations using Suhosin with mbstring.encoding_translation enabled may not correctly limit POST variable counts, leaving the server exposed even with Suhosin deployed; verify mbstring.encoding_translation is Off. ↗
- →PHP's newly introduced directive 'max_input_vars' (added in 5.3.9) can be used to limit the number of POST variables processed; absence of this limit on PHP < 5.3.9 is a key indicator of exposure. ↗
- ·The fix introduced in PHP 5.3.9 (max_input_vars) was itself incomplete; CVE-2012-0830 describes a follow-on RCE vulnerability in php_register_variable_ex due to an incorrect fix for CVE-2011-4885, so patching to exactly 5.3.9 is insufficient. ↗
- ·Suhosin's post.max_vars mitigation is bypassed when mbstring.encoding_translation is enabled, causing only every other POST variable to be counted by Suhosin; this configuration must be corrected for Suhosin-based defenses to be effective. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP regression
vendor_ubuntu·2012-02-13·CVSS 5.0
CVE-2012-0831 [MEDIUM] PHP regression
Title: PHP regression
Summary: USN 1358-1 introduced a regression in PHP.
USN 1358-1 fixed multiple vulnerabilities in PHP. The fix for
CVE-2012-0831 introduced a regression where the state of the
magic_quotes_gpc setting was not correctly reflected when calling
the ini_get() function.
We apologize for the inconvenience.
Original advisory details:
It was discovered that PHP computed hash values for form parameters
without restricting the ability to trigger hash collisions predictably.
This could allow a remote attacker to cause a denial of service by
sending many crafted parameters. (CVE-2011-4885)
ATTENTION: this update changes previous PHP behavior by
limiting the number of external input variables to 1000.
This may be increased by adding a "max_input_vars"
directive to the php.ini
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2012-02-10·CVSS 5.0
CVE-2012-0831 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Multiple vulnerabilities in PHP.
It was discovered that PHP computed hash values for form parameters
without restricting the ability to trigger hash collisions predictably.
This could allow a remote attacker to cause a denial of service by
sending many crafted parameters. (CVE-2011-4885)
ATTENTION: this update changes previous PHP behavior by
limiting the number of external input variables to 1000.
This may be increased by adding a "max_input_vars"
directive to the php.ini configuration file. See
http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars
for more information.
Stefan Esser discovered that the fix to address the predictable hash
collision issue, CVE-2011-4885, did not properly handle the situation
where the limit was reache
Red Hat
php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix
vendor_redhat·2012-02-02·CVSS 5.0
CVE-2012-0830 [MEDIUM] CWE-228 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix
php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix
The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885.
Drupal
Hash DOS attack prevention with Suhosin needs a .htaccess edit - PSA-2012-001
vendor_drupal·2012-01-11·CVSS 5.0
CVE-2011-4885 [MEDIUM] Hash DOS attack prevention with Suhosin needs a .htaccess edit - PSA-2012-001
Title: Hash DOS attack prevention with Suhosin needs a .htaccess edit - PSA-2012-001
Vulnerability Type: Hash DOS attack prevention with Suhosin needs a .htaccess edit
Description: Advisory ID: DRUPAL-PSA-2012-001 Project: Drupal core Version: 6.x, 7.x Date: 2012-01-11 Security risk: Less critical Exploitable from: Remote Vulnerability: Denial of Service Description Update, June 12th 2012: this advisory is related to flaws in PHP with CVE identifiers CVE-2011-4885 and CVE-2012-0830. Users are encouraged to update the PHP used for their site to a version that is known to fix those vulnerabilities. See below for mitigation techniques if your site runs a version of PHP that doesn't contain those fixes and you cannot change it. PHP is vulnerable to a hash collision denial of service (DOS) at
Red Hat
php: hash table collisions CPU usage DoS (oCERT-2011-003)
vendor_redhat·2011-12-28·CVSS 5.0
CVE-2011-4885 [MEDIUM] php: hash table collisions CPU usage DoS (oCERT-2011-003)
php: hash table collisions CPU usage DoS (oCERT-2011-003)
PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
GHSA
GHSA-q9pr-6h9m-h8vf: PHP before 5
ghsa_unreviewed·2022-05-14
CVE-2011-4885 [MEDIUM] CWE-20 GHSA-q9pr-6h9m-h8vf: PHP before 5
PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
GHSA
GHSA-4pjr-p785-567f: The php_register_variable_ex function in php_variables
ghsa_unreviewed·2022-05-14·CVSS 5.0
CVE-2012-0830 [MEDIUM] GHSA-4pjr-p785-567f: The php_register_variable_ex function in php_variables
The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885.
No detection rules found.
Exploit-DB
PHP Hash Table Collision - Denial of Service (PoC)
exploitdb·2012-01-03·CVSS 5.0
CVE-2011-4885 [MEDIUM] PHP Hash Table Collision - Denial of Service (PoC)
PHP Hash Table Collision - Denial of Service (PoC)
---
#!/usr/bin/env python
"""
This script was written by Christian Mehlmauer
https://twitter.com/#!/_FireFart_
Sourcecode online at:
https://github.com/FireFart/HashCollision-DOS-POC
Original PHP Payloadgenerator taken from https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision
http://www.ocert.org/advisories/ocert-2011-003.html
CVE:
Apache Geronimo: CVE-2011-5034
Oracle Glassfish: CVE-2011-5035
PHP: CVE-2011-4885
Apache Tomcat: CVE-2011-4858
requires Python 2.7
Examples:
-) Make a single Request, wait for the response and save the response to output0.html
python HashtablePOC.py -u https://host/index.php -v -c 1 -w -o output -t PHP
-) Take down a PHP server(make 500 requests without waiting for a response):
p
Exploit-DB
PHP 5.3.8 - Hashtables Denial of Service
exploitdb·2012-01-01·CVSS 5.0
CVE-2011-4885 [MEDIUM] PHP 5.3.8 - Hashtables Denial of Service
PHP 5.3.8 - Hashtables Denial of Service
---
# Exploit Title: CVE-2011-4885 PHP Hashtables Denial of Service
Exploit
# Date: 1/1/12
# Author: infodox
# Software Link: php.net
#
Version: 5.3.*
# Tested on: Linux
# CVE : CVE-2011-4885
Exploit
Download -- http://infodox.co.cc/Downloads/phpdos.txt
Exploit-DB
MyBulletinBoard (MyBB) 1.1.5 - 'CLIENT-IP' SQL Injection
exploitdb·2006-07-15
CVE-2011-5035 MyBulletinBoard (MyBB) 1.1.5 - 'CLIENT-IP' SQL Injection
MyBulletinBoard (MyBB) 1.1.5 - 'CLIENT-IP' SQL Injection
---
#!/usr/bin/php -q -d short_open_tag=on
ipaddress = $ipaddress = getip();
//
// User-agent
//
$this->useragent = $_SERVER['HTTP_USER_AGENT'];
if(strlen($this->useragent) > 100)
{
$this->useragent = substr($this->useragent, 0, 100);
}
//
// Attempt to find a session id in the cookies
//
if($_COOKIE['sid'])
{
$this->sid = addslashes($_COOKIE['sid']);
}
else
{
$this->sid = 0;
}
//
// Attempt to load the session from the database
//
$query = $db->query("SELECT sid,uid FROM ".TABLE_PREFIX."sessions WHERE sid='".$this->sid."' AND ip='".$this->ipaddress."'");
...
injection is blind, but you can ask true-false questions to the database to
retrieve the admin loginkey.
Through that you can build an admin cookie and create a new admin
Metasploit
Hashtable Collisions
metasploit
Hashtable Collisions
Hashtable Collisions
This module uses a denial-of-service (DoS) condition appearing in a variety of programming languages. This vulnerability occurs when storing multiple values in a hash table and all values have the same hash value. This can cause a web server parsing the POST parameters issued with a request into a hash table to consume hours of CPU with a single HTTP request. Currently, only the hash functions for PHP and Java are implemented. This module was tested with PHP + httpd, Tomcat, Glassfish and Geronimo. It also generates a random payload to bypass some IDS signatures.
Bugzilla
CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix [fedora-all]
bugzilla·2012-02-02·CVSS 5.0
CVE-2012-0830 [MEDIUM] CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix [fedora-all]
CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updat
Bugzilla
CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix
bugzilla·2012-02-02·CVSS 5.0
CVE-2012-0830 [MEDIUM] CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix
CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix
A flaw was found in the way the max_input_vars directive was implemented in php, as a fix for CVE-2011-4885 (php: hash table collisions CPU usage DoS issue).
A remote attacker could send large number of crafted POST requests, which could crash php or execute arbitrary code with the permissions of the user running php.
Possible upstream patch: http://svn.php.net/viewvc?view=revision&revision=323007
Reference:
http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/
Discussion:
http://www.h-online.com/security/news/item/Critical-PHP-vulnerability-being-fixed-1427316.html
---
Following page links errata that has been released for Red Hat Enterprise
Bugzilla
CVE-2011-4885 php: hash table collisions CPU usage DoS (oCERT-2011-003) [fedora-all]
bugzilla·2011-12-29·CVSS 5.0
CVE-2011-4885 [MEDIUM] CVE-2011-4885 php: hash table collisions CPU usage DoS (oCERT-2011-003) [fedora-all]
CVE-2011-4885 php: hash table collisions CPU usage DoS (oCERT-2011-003) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_
Bugzilla
CVE-2011-4885 php: hash table collisions CPU usage DoS (oCERT-2011-003)
bugzilla·2011-11-01·CVSS 5.0
CVE-2011-4885 [MEDIUM] CVE-2011-4885 php: hash table collisions CPU usage DoS (oCERT-2011-003)
CVE-2011-4885 php: hash table collisions CPU usage DoS (oCERT-2011-003)
Julian Wälde and Alexander Klink reported a flaw in the hash function used in the implementation of the PHP arrays. PHP arrays are implemented using the hash table that maps keys to values:
http://www.php.net/manual/en/language.types.array.php
A specially-crafted set of keys could trigger hash function collisions, which degrade hash table performance by changing hash table operations complexity from an expected/average O(1) to the worst case O(n). Reporters were able to find colliding strings efficiently using equivalent substrings or meet in the middle techniques.
As PHP automatically pre-fills certain arrays (such as $_POST, $_GET, or $_COOKIE) with data from the HTTP request before executing a script, a remote at
Tenable
Tenable Network Security Podcast 110
blogs_tenable·2012-01-24
Tenable Network Security Podcast 110
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.htmlhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041http://lists.apple.com/archives/security-announce/2012/May/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-03/msg00013.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-03/msg00016.htmlhttp://marc.info/?l=bugtraq&m=132871655717248&w=2http://marc.info/?l=bugtraq&m=133469208622507&w=2http://rhn.redhat.com/errata/RHSA-2012-0071.htmlhttp://secunia.com/advisories/47404http://secunia.com/advisories/48668http://support.apple.com/kb/HT5281http://svn.php.net/viewvc?view=revision&revision=321003http://svn.php.net/viewvc?view=revision&revision=321040http://www.debian.org/security/2012/dsa-2399http://www.exploit-db.com/exploits/18296http://www.exploit-db.com/exploits/18305http://www.kb.cert.org/vuls/id/903934http://www.mandriva.com/security/advisories?name=MDVSA-2011:197http://www.mandriva.com/security/advisories?name=MDVSA-2013:150http://www.nruns.com/_downloads/advisory28122011.pdfhttp://www.ocert.org/advisories/ocert-2011-003.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2012-392727.htmlhttp://www.redhat.com/support/errata/RHSA-2012-0019.htmlhttp://www.securityfocus.com/bid/51193http://www.securitytracker.com/id?1026473https://exchange.xforce.ibmcloud.com/vulnerabilities/72021https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.pyhttp://archives.neohapsis.com/archives/bugtraq/2011-12/0181.htmlhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041http://lists.apple.com/archives/security-announce/2012/May/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-03/msg00013.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-03/msg00016.htmlhttp://marc.info/?l=bugtraq&m=132871655717248&w=2http://marc.info/?l=bugtraq&m=133469208622507&w=2http://rhn.redhat.com/errata/RHSA-2012-0071.htmlhttp://secunia.com/advisories/47404http://secunia.com/advisories/48668http://support.apple.com/kb/HT5281http://svn.php.net/viewvc?view=revision&revision=321003http://svn.php.net/viewvc?view=revision&revision=321040http://www.debian.org/security/2012/dsa-2399http://www.exploit-db.com/exploits/18296http://www.exploit-db.com/exploits/18305http://www.kb.cert.org/vuls/id/903934http://www.mandriva.com/security/advisories?name=MDVSA-2011:197http://www.mandriva.com/security/advisories?name=MDVSA-2013:150http://www.nruns.com/_downloads/advisory28122011.pdfhttp://www.ocert.org/advisories/ocert-2011-003.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2012-392727.htmlhttp://www.redhat.com/support/errata/RHSA-2012-0019.htmlhttp://www.securityfocus.com/bid/51193http://www.securitytracker.com/id?1026473https://exchange.xforce.ibmcloud.com/vulnerabilities/72021https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py
2011-12-30
Published