This Metasploit module uses a denial-of-service (DoS) condition appearing in a variety of programming languages. This vulnerability occurs when storing multiple values in a hash table and all values have the same hash value. This can cause a web server parsing the POST parameters issued with a request into a hash table to consume hours of CPU with a single HTTP request. Currently, only the hash functions for PHP and Java are implemented. This Metasploit module was tested with PHP + httpd, Tomcat, Glassfish and Geronimo. It also generates a random payload to bypass some IDS signatures.
b029e67e4fc45769ef0806adf780beee36692122a886f5bb14135c025f43efbc
HP Security Bulletin HPSBMU02786 SSRT100877 2 - Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) running on Linux, Windows, and VMware ESX. The vulnerabilities could be exploited remotely resulting in unauthorized access, disclosure of information, data modification, Denial of Service (DoS), and execution of arbitrary code. Revision 2 of this advisory.
5dbefc2f5ce267adce1e15986e02edbb8a3cd8b62ebf6a7c096957f60f594794
Gentoo Linux Security Advisory 201209-3 - Multiple vulnerabilities were found in PHP, the worst of which lead to remote execution of arbitrary code. Versions less than 5.3.15 are affected.
9f816b924ad418620e160f8c0c949d6a934cbb7b2edf6d8854a05c114583d85c
HP Security Bulletin HPSBMU02786 SSRT100877 - Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) running on Linux and Windows. The vulnerabilities could be exploited remotely resulting in unauthorized access, disclosure of information, data modification, Denial of Service (DoS), and execution of arbitrary code. Revision 1 of this advisory.
856251204fbecc5944b74b48232e96b353c5844f102f2b4ea9de3e11e27b5a7d
Mandriva Linux Security Advisory 2012-071 - This is a bugfix and security advisory that upgrades php to the latest 5.3.13 version for Mandriva Linux Enterprise 5.2 which resolves numerous upstream bugs in php.
028afe71e35b4463baf7313fddbd4720742bc9f50ec0c59daa263f5bc0947ff6
Apple Security Advisory 2012-05-09-1 - OS X Lion v10.7.4 and Security Update 2012-002 is now available and addresses multiple security issues. An issue existed in the handling of network account logins. The login process recorded sensitive information in the system log, where other users of the system could read it. A temporary file race condition issue existed in blued's initialization routine. There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. curl disabled the 'empty fragment' countermeasure which prevented these attacks. This issue is addressed by enabling empty fragments. A data injection issue existed in curl's handling of URLs. This issue is addressed through improved validation of URLs. This issue does not affect systems prior to OS X Lion. Various other vulnerabilities have been addressed.
8a1ec648cdab00dde0f7ff37efd462d6ad93a16f2b5d89ca92fb566b939516e3
HP Security Bulletin HPSBOV02763 SSRT100826 - Potential vulnerabilities have been identified with HP Secure Web Server (SWS) for OpenVMS running PHP. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS), unauthorized access, privilege escalation, unauthorized disclosure of information, or unauthorized modifications. Revision 1 of this advisory.
ed9a5902d9c99aabc1fc739a0ec49b2e95fcbd6c58b9ceb14b8f6abcfe7fb2bc
HP Security Bulletin HPSBUX02741 SSRT100728 2 - Potential security vulnerabilities have been identified with HP-UX Apache Running Tomcat Servlet Engine. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) or to perform an access restriction bypass. The Tomcat-based Servlet Engine is contained in the HP-UX Apache Web Server Suite. Revision 2 of this advisory.
55cdfcc13a7fe14d92fa9c28027368bdaa391209c80e57fec15c56acf2bdeff9
Ubuntu Security Notice 1358-2 - USN 1358-1 fixed multiple vulnerabilities in PHP. The fix for CVE-2012-0831 introduced a regression where the state of the magic_quotes_gpc setting was not correctly reflected when calling the ini_get() function. Various other issues were also addressed.
f0e3f2a3522dbb09758f1bf08f0d15a04e639581a43300707f483dc4b76ee08a
Ubuntu Security Notice 1358-1 - It was discovered that PHP computed hash values for form parameters without restricting the ability to trigger hash collisions predictably. This could allow a remote attacker to cause a denial of service by sending many crafted parameters. ATTENTION: this update changes previous PHP behavior by limiting the number of external input variables to 1000. This may be increased by adding a "max_input_vars" directive to the php.ini configuration file. See https://www.php.net/manual/en/info.configuration.php#ini.max-input-vars for more information. Various other issues were also addressed.
4e7832bc4af2f7480c0583d5776cc3ff599367f5f6f7376c2832f74a7230342c
HP Security Bulletin HPSBUX02741 SSRT100728 - Potential security vulnerabilities have been identified with HP-UX Apache Running Tomcat Servlet Engine. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) or to perform an access restriction bypass. The Tomcat-based Servlet Engine is contained in the HP-UX Apache Web Server Suite. Revision 1 of this advisory.
4a4c267d9d541a369ea92c687c9df43f531dfb40dcc39d4aae8a349d0e276192
Debian Linux Security Advisory 2399-2 - A regression was found in the fix for PHP's XSLT transformations. Updated packages are now available to address this regression.
4035ae5908f7161c8fd3e3ad199b05e40982d101f247f62370783a4fb90bad34
Debian Linux Security Advisory 2399-1 - Several vulnerabilities have been discovered in PHP, the web scripting language.
641d80929f164eca8f727ea93974dd480bf89f24fda91e61ea6f2db83f127f9e
Red Hat Security Advisory 2012-0071-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that the hashing routine used by PHP arrays was susceptible to predictable hash collisions. If an HTTP POST request to a PHP application contained many parameters whose names map to the same hash value, a large amount of CPU time would be consumed. This flaw has been mitigated by adding a new configuration directive, max_input_vars, that limits the maximum number of parameters processed per request. By default, max_input_vars is set to 1000.
5aa584ae8e2538b311608383e29e10b03cfc35f4dda508f886e8a55f83326c25
Red Hat Security Advisory 2012-0033-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that the hashing routine used by PHP arrays was susceptible to predictable hash collisions. If an HTTP POST request to a PHP application contained many parameters whose names map to the same hash value, a large amount of CPU time would be consumed. This flaw has been mitigated by adding a new configuration directive, max_input_vars, that limits the maximum number of parameters processed per request. By default, max_input_vars is set to 1000.
9c9db32e862cfa8b6928da78793e959113908e1b37b6c97554c73280cfc1a07d
HashCollision denial of service proof of concept exploit written in Python. It generates the payload on the fly and sends it to the server.
01da1f50ab5e7ffaf8680f1bf9bdef32b70eecac7583949ac5a2e2840b4e971a
HashCollision denial of service proof of concept exploit written in Python. It generates the payload on the fly and sends it to the server.
9ea223d1751dc755d5ba16393c4065f1bda060687cfe5211724fcb29a994c2c5
Red Hat Security Advisory 2012-0019-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that the hashing routine used by PHP arrays was susceptible to predictable hash collisions. If an HTTP POST request to a PHP application contained many parameters whose names map to the same hash value, a large amount of CPU time would be consumed. This flaw has been mitigated by adding a new configuration directive, max_input_vars, that limits the maximum number of parameters processed per request. By default, max_input_vars is set to 1000.
7aa667f84386bb26d8dcb73b76d783ed52d62e92fb6379d2473bb3d29b41190f
PHP 4 hash collision proof of concept code that computes hash values for form parameters.
3d3bf041251739817bd2e288dbcb0d9939d030c50313a9b6ccde7df5b0e91a31
PHP 5.3.x hash collision denial of service proof of concept exploit written in Python. It generates the payload on the fly and sends it to the server.
a40ed8e7683bd70412b64514013eea3551071db4f39c244052a9d36f89460954
PHP 5.3.x hash collision denial of service proof of concept exploit.
4fedb48a322a5c1cc6a37e6e8d60e449a09a49c804537bef9e115dec5fade8b1
Mandriva Linux Security Advisory 2011-197 - Integer overflow in the exif_process_IFD_TAG function in exif.c in the exif extension in PHP 5.4.0beta2 on 32-bit platforms allows remote attackers to read the contents of arbitrary memory locations or cause a denial of service via a crafted offset_val value in an EXIF header in a JPEG file, a different vulnerability than CVE-2011-0708. PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service by sending many crafted parameters. The updated packages have been patched to correct this issue.
65c4b018cdfd49592c9f7dbcf34ecabd28e6273c44adf4c53cd71a54905612c5
A variety of programming languages suffer from a denial-of-service (DoS) condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms.
0b2b66a010f07afd3a21848f6c4de292e1d20c5873c836998313c0f5f90e9999