An appealing report we located that has numerous things to study from. You may wish to have a look to see what you think.
A security vulnerability which is found in PHP and many other programming languages may allow attackers/hackers to halt servers with vulnerable PHP installations.
Before getting into the details, let us first understand – What is the Hash Collision Vulnerability?
Arrays are very popular data types in PHP and many other scripting languages. These are data types, that allows to store a variable number of entries of any type. One can store as many entries in array as possible. This is the main problem of a vulnerability known as Hash Collision.
In PHP and several other languages, which are used to implement Web applications, arrays are used to store the values of request variables such as $ _GET, $ _POST, $ COOKIE, etc. If someone receives a request with a large number of request values, until recent versions PHP may run into trouble.
Let us now superficially look at what exactly is the problem?The PHP runtime engine that implemented is in C reads the HTTP request data and builds arrays to store request variables. This happens even before any PHP code starts being executed.
In C and other languages, arrays are implemented as data structures called hash tables. In simplistic terms, hash tables are arrays of linked lists of entries. These arrays have a fixed size.
Every time someone wants to add a new entry to a hash table, they need to compute a hash value for the new array entry key. That hash value is an integer value that determines into which linked list the new array entry will be added.
Once the hash table code determines into which linked list the new entry belongs, it determines if there is already an entry with the same array key in that linked list.
If there is no entry with the same key value, the new array entry value is added to the linked list. Otherwise, the new entry value will replace the old entry with the same key.
This is a process that it is reasonably fast if the number of entries in the array is relatively small. However, if the array has a very large number of entries the performance of inserting new entries starts degrading.
This problem can be seriously aggravated if the values of the keys to be added in the array have the same hash value, which means that they will be added to the same linked list.
What some security researchers have found is a way to easily determine a large number of arrays keys that can be used to craft an HTTP request with many request variables (GET, POST, COOKIE, etc..) that can make PHP take hours or maybe much more time to handle a single HTTP request just by making PHP consume all the CPU it gets to build the request variable arrays.
This means that with even a relatively small number of requests an attacker/hacker may make PHP consume all the CPU it gets until the machine practically hangs/freezes, unless something kills the affected PHP processes.
As mentioned, other languages are also affected by this problem because they use similar hash table algorithms. The matter of PHP is actually worse because PHP is an extremely popular Web programming language. According to the researchers, 77% of the Web servers run PHP.
In Conclusion:
It should be obvious for all developers that security issues should be taken very seriously and with urgency.
In this case, the problems that hash collisions may cause to your servers may not be your fault because the issues are in the language implementation. However, it is the responsibility of the people in charge of the servers to do the necessary upgrades. So, if you were not aware of this problem, now that you were made aware it is up to you to take the necessary measures.
Are you having trouble getting the right kind of outputs from your PHP development team??If you are like most business leaders, having trouble finding the appropriate people and to economically produce good outputs that satisfy tough clients. Then it is important to have a specialist take care of your software development. To Web Programming with PHP based projects
?
Web Programming with PHP – With an excellent team of 120+ experienced PHP developers in India , CATT Ltd has successfully completed numerous PHP solutions like E-Commerce shopping carts with content management system, CRM Solutions, Community tools Web Calendars, Chat software and Discussion forum etc.
?
Article source: http://php.ezinemark.com/web-programming-with-php-7d35863f729c.html.
We thought that’s helpful. Feel free to leave your personal comment here.
Learn more about developers PHP.