Icy Phoenix

Quote:

This time the security researchers mentioned above contacted several language developers on November 1st, 2011. Not all language developers decided to give a prompt response. The response of PHP developers came in form of a patch to PHP 5.3.9 RC 4 and PHP 5.4.0 RC 4 that adds a new configuration option in php.ini named max_input_vars .

The max_input_vars option limits the number of request variables that PHP will accept. This means that if your server gets a HTTP request with more than a given number of GET, POST, COOKIE, etc. variables, the values are ignored.

It really does not avoid the whole problem of hash collisions but at least minimizes the bad consequences of an eventual attack. The default value of the max_input_vars option is 1000, but once you upgrade to PHP 5.3.9 which was just released, or PHP 5.4.0 that is expected to be released in a few weeks, I recommend that you lower this option value further, as most Web applications never need to handle so many request variables.