Icy Phoenix


Post new topic  Reply to topic 
Page 1 of 1
Reply with quote Download Post 
Post Security Proplem In PHP 
just stumbled other an important security hole in PHP by reading this article.


I´m not shure, as for how important this is for Icy, but thought it might be interresting for some of you.

Out of Order
spydieSend private messageVisit poster's website  
Back to topPage bottom
Icy Phoenix is an open source project, you can show your appreciation and support future development by donating to the project.

Support us
Reply with quote Download Post 
Post Re: Security Proplem In PHP 
Yes, very interesting! Looks like the following quote is what people would need to worry about.

This time the security researchers mentioned above contacted several language developers on November 1st, 2011. Not all language developers decided to give a prompt response. The response of PHP developers came in form of a patch to PHP 5.3.9 RC 4 and PHP 5.4.0 RC 4 that adds a new configuration option in php.ini named max_input_vars .

The max_input_vars option limits the number of request variables that PHP will accept. This means that if your server gets a HTTP request with more than a given number of GET, POST, COOKIE, etc. variables, the values are ignored.

It really does not avoid the whole problem of hash collisions but at least minimizes the bad consequences of an eventual attack. The default value of the max_input_vars option is 1000, but once you upgrade to PHP 5.3.9 which was just released, or PHP 5.4.0 that is expected to be released in a few weeks, I recommend that you lower this option value further, as most Web applications never need to handle so many request variables.

I will adjust that variable on my home server,   Thank you!

HansSend private messageVisit poster's website  
Back to topPage bottom
Post new topic  Reply to topic  Page 1 of 1

Display posts from previous:    

HideWas this topic useful?

Link this topic

Permissions List
You cannot post new topics
You cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot vote in polls
You cannot attach files
You can download files
You cannot post calendar events