[Kolab-devel] Supercolliding a PHP array - DoS Attacks

ABBAS Alain alain.abbas at libertech.fr
Tue Jan 10 10:20:05 CET 2012

It is possible with all requests who works with $_POST or $_GET , that means even login page ...
Now the risk i think depends how the site or company is known, could be annoying for example for a mail provider
or a big company but the risk for a small company is low. 

from : 

Hashtable collisions as DOS attack

At this point you may wonder what the above is actually useful for. For the casual user: Not useful at all. But the “bad guys” can easily exploit behavior like the above to perform a DOS (Denial of Service) attack on a server. Remember that $_GET and $_POST and $_REQUEST are just normal arrays and suffer from the same problems. So by sending a specially crafted POST request you can easily take a server down.

PHP is not the only language vulnerable to this. Actually pretty much all other languages used for creating websites have similar problems, as was presented at the 28C3 conference.

But there is hope! PHP already landed a change (which will ship with PHP 5.3.9) which will add a max_input_vars ini setting which defaults to 1000. This setting determines the maximum number of POST/GET variables that are accepted, so now only a maximum of 1000 collisions can be created. If you run the above script with 2^10 = 1024 elements you will get runtimes in the order of 0.003 seconds, which obviously is far less critical than 30 seconds. (Note though that above I am demonstrating an integer key collision. You can also collide string keys, in which case the traversal will be a good bit slower.)

-----Message original-----
De: "Martin Konold" <martin.konold at erfrakon.de>
Envoyé: 10 janvier 2012 07:21:10 UTC
A: "ABBAS Alain" <alain.abbas at libertech.fr>, "Kolab development coordination" <kolab-devel at kolab.org>
Sujet : Re: [Kolab-devel] Supercolliding a PHP array - DoS Attacks

Am Montag, 9. Januar 2012, 22:49:52 schrieb ABBAS Alain:


> -----Message original-----

> There are a serious Dos Attack issue in PHP prior to 5.3.9

Are you aware of any exploit vector against Kolab which can be abused by an 
non authenticated attacker?

-- martin
e r f r a k o n
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Sitz: Adolfstraße 23, 70469 Stuttgart, Partnerschaftsregister Stuttgart PR 126

More information about the devel mailing list