Security Proplem In PHP »  Show posts from    to     

Icy Phoenix


English Chit Chat - Security Proplem In PHP



spydie [ Thu 12 Jan, 2012 23:16 ]
Post subject: Security Proplem In PHP
just stumbled other an important security hole in PHP by reading this article.

http://www.phpclasses.org/blog/post...of-Servers.html

I´m not shure, as for how important this is for Icy, but thought it might be interresting for some of you.


Hans [ Fri 13 Jan, 2012 03:04 ]
Post subject: Re: Security Proplem In PHP
Yes, very interesting! Looks like the following quote is what people would need to worry about.

Quote:
This time the security researchers mentioned above contacted several language developers on November 1st, 2011. Not all language developers decided to give a prompt response. The response of PHP developers came in form of a patch to PHP 5.3.9 RC 4 and PHP 5.4.0 RC 4 that adds a new configuration option in php.ini named max_input_vars .

The max_input_vars option limits the number of request variables that PHP will accept. This means that if your server gets a HTTP request with more than a given number of GET, POST, COOKIE, etc. variables, the values are ignored.

It really does not avoid the whole problem of hash collisions but at least minimizes the bad consequences of an eventual attack. The default value of the max_input_vars option is 1000, but once you upgrade to PHP 5.3.9 which was just released, or PHP 5.4.0 that is expected to be released in a few weeks, I recommend that you lower this option value further, as most Web applications never need to handle so many request variables.


I will adjust that variable on my home server, Thank you!




Powered by Icy Phoenix