CVE-2012-0830
published 2012-02-06CVE-2012-0830: The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number…
PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
30.14%
98.0th percentile
The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | drupal | — | — |
| php | php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/↗
- →Exploit sends a crafted multipart/form-data POST request with a large number of variables; the payload boundary is MD5-based and variable data begins with chr(16) followed by repeated bytes — monitor for abnormally large POST bodies with an excessive number of form-data fields targeting PHP 5.3.9. ↗
- →The vulnerability is triggered via php_register_variable_ex in php_variables.c when processing a request containing a large number of variables — detect anomalous POST requests with variable counts exceeding normal thresholds (e.g., max_input_vars) directed at PHP 5.3.9 endpoints. ↗
- →A remote attacker could send large number of crafted POST requests, which could crash php or execute arbitrary code with the permissions of the user running php — alert on repeated high-variable-count POST requests from a single source IP. ↗
- ·The vulnerability exists specifically in PHP 5.3.9 as a result of the incorrect fix for CVE-2011-4885; PHP 5.3.10 contains the corrected fix. Downgrading to a version prior to the CVE-2011-4885 patch also mitigates the issue. ↗
- ·The Suhosin extension's post.max_vars limit is bypassed when mbstring.encoding_translation is enabled (e.g., via .htaccess), causing only every other POST variable to be checked — remove the mbstring.encoding_translation directive from .htaccess to restore Suhosin's effectiveness. ↗
- ·The max_input_vars directive introduced in PHP 5.3.9 as a mitigation for CVE-2011-4885 was implemented incorrectly, creating this RCE flaw; the directive alone is not a safe mitigation on PHP 5.3.9. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP regression
vendor_ubuntu·2012-02-13·CVSS 5.0
CVE-2012-0831 [MEDIUM] PHP regression
Title: PHP regression
Summary: USN 1358-1 introduced a regression in PHP.
USN 1358-1 fixed multiple vulnerabilities in PHP. The fix for
CVE-2012-0831 introduced a regression where the state of the
magic_quotes_gpc setting was not correctly reflected when calling
the ini_get() function.
We apologize for the inconvenience.
Original advisory details:
It was discovered that PHP computed hash values for form parameters
without restricting the ability to trigger hash collisions predictably.
This could allow a remote attacker to cause a denial of service by
sending many crafted parameters. (CVE-2011-4885)
ATTENTION: this update changes previous PHP behavior by
limiting the number of external input variables to 1000.
This may be increased by adding a "max_input_vars"
directive to the php.ini
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2012-02-10·CVSS 5.0
CVE-2012-0831 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Multiple vulnerabilities in PHP.
It was discovered that PHP computed hash values for form parameters
without restricting the ability to trigger hash collisions predictably.
This could allow a remote attacker to cause a denial of service by
sending many crafted parameters. (CVE-2011-4885)
ATTENTION: this update changes previous PHP behavior by
limiting the number of external input variables to 1000.
This may be increased by adding a "max_input_vars"
directive to the php.ini configuration file. See
http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars
for more information.
Stefan Esser discovered that the fix to address the predictable hash
collision issue, CVE-2011-4885, did not properly handle the situation
where the limit was reache
Red Hat
php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix
vendor_redhat·2012-02-02·CVSS 5.0
CVE-2012-0830 [MEDIUM] CWE-228 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix
php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix
The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885.
Drupal
Hash DOS attack prevention with Suhosin needs a .htaccess edit - PSA-2012-001
vendor_drupal·2012-01-11·CVSS 5.0
CVE-2011-4885 [MEDIUM] Hash DOS attack prevention with Suhosin needs a .htaccess edit - PSA-2012-001
Title: Hash DOS attack prevention with Suhosin needs a .htaccess edit - PSA-2012-001
Vulnerability Type: Hash DOS attack prevention with Suhosin needs a .htaccess edit
Description: Advisory ID: DRUPAL-PSA-2012-001 Project: Drupal core Version: 6.x, 7.x Date: 2012-01-11 Security risk: Less critical Exploitable from: Remote Vulnerability: Denial of Service Description Update, June 12th 2012: this advisory is related to flaws in PHP with CVE identifiers CVE-2011-4885 and CVE-2012-0830. Users are encouraged to update the PHP used for their site to a version that is known to fix those vulnerabilities. See below for mitigation techniques if your site runs a version of PHP that doesn't contain those fixes and you cannot change it. PHP is vulnerable to a hash collision denial of service (DOS) at
GHSA
GHSA-4pjr-p785-567f: The php_register_variable_ex function in php_variables
ghsa_unreviewed·2022-05-14·CVSS 5.0
CVE-2012-0830 [MEDIUM] GHSA-4pjr-p785-567f: The php_register_variable_ex function in php_variables
The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885.
No detection rules found.
Bugzilla
CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix [fedora-all]
bugzilla·2012-02-02·CVSS 5.0
CVE-2012-0830 [MEDIUM] CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix [fedora-all]
CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updat
Bugzilla
CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix
bugzilla·2012-02-02·CVSS 5.0
CVE-2012-0830 [MEDIUM] CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix
CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix
A flaw was found in the way the max_input_vars directive was implemented in php, as a fix for CVE-2011-4885 (php: hash table collisions CPU usage DoS issue).
A remote attacker could send large number of crafted POST requests, which could crash php or execute arbitrary code with the permissions of the user running php.
Possible upstream patch: http://svn.php.net/viewvc?view=revision&revision=323007
Reference:
http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/
Discussion:
http://www.h-online.com/security/news/item/Critical-PHP-vulnerability-being-fixed-1427316.html
---
Following page links errata that has been released for Red Hat Enterprise
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041http://lists.apple.com/archives/security-announce/2012/May/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-03/msg00013.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-03/msg00016.htmlhttp://marc.info/?l=bugtraq&m=134012830914727&w=2http://openwall.com/lists/oss-security/2012/02/02/12http://openwall.com/lists/oss-security/2012/02/03/1http://rhn.redhat.com/errata/RHSA-2012-0092.htmlhttp://secunia.com/advisories/47801http://secunia.com/advisories/47806http://secunia.com/advisories/47813http://secunia.com/advisories/48668http://securitytracker.com/id?1026631http://support.apple.com/kb/HT5281http://svn.php.net/viewvc?view=revision&revision=323007http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/http://www.debian.org/security/2012/dsa-2403http://www.h-online.com/security/news/item/Critical-PHP-vulnerability-being-fixed-1427316.htmlhttp://www.osvdb.org/78819http://www.php.net/ChangeLog-5.php#5.3.10http://www.securityfocus.com/bid/51830https://exchange.xforce.ibmcloud.com/vulnerabilities/72911https://gist.github.com/1725489http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041http://lists.apple.com/archives/security-announce/2012/May/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-03/msg00013.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-03/msg00016.htmlhttp://marc.info/?l=bugtraq&m=134012830914727&w=2http://openwall.com/lists/oss-security/2012/02/02/12http://openwall.com/lists/oss-security/2012/02/03/1http://rhn.redhat.com/errata/RHSA-2012-0092.htmlhttp://secunia.com/advisories/47801http://secunia.com/advisories/47806http://secunia.com/advisories/47813http://secunia.com/advisories/48668http://securitytracker.com/id?1026631http://support.apple.com/kb/HT5281http://svn.php.net/viewvc?view=revision&revision=323007http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/http://www.debian.org/security/2012/dsa-2403http://www.h-online.com/security/news/item/Critical-PHP-vulnerability-being-fixed-1427316.htmlhttp://www.osvdb.org/78819http://www.php.net/ChangeLog-5.php#5.3.10http://www.securityfocus.com/bid/51830https://exchange.xforce.ibmcloud.com/vulnerabilities/72911https://gist.github.com/1725489
2012-02-06
Published