PHP <=5.4.8, <=5.3.18 with mbstring.encoding_translation = On is vulnerable to HashDoS

Mon 26 November 2012

Hashdos attack on scripting languages was introduced first time at 28C3 conference [1]. It targets the performance bottleneck in keeping large hash tables made of request parameters.

The main way to protect from this attack is to limit the number of request parameters. In PHP it is done through the parameter max_input_vars, but this parameter is ignored if mbstring.encoding_translation parameter is set to "On". Therefore, it is possible to send a request with a large number of parameters to perform a HashDoS attack.

Fortunately, the default value for mbstring.encoding_translation is "Off". This vulnerability mainly affects Japanese web sites that use automated encoding conversion widely. However, it is strongly recommended to update to the latest version of PHP.


[1] Alexander ‘alech’ Klink, Julian | zeri "Effective denial of service attacks against web application platforms", 29C3, 2011

[2] Hiroshi Tokumaru "セキュリティ情報:PHP5.4.8、PHP5.3.18以前にhashdos脆弱性"

Comments !