MA-295.022012 : MyCERT Alert - Multiple Critical Vulnerabilities in PHP
Date first published: 2012-02-04
Multiple vulnerabilities have been reported in PHP, which can be exploited to cause a Denial of Service (DoS) and allow a remote attacker to execute arbitrary code on a vulnerable system.
The Hash Collision Denial of Service vulnerability (CVE-2011-4885) is caused due to an error within a hash generation function when hashing form posts and updating a hash table. This can be exploited to cause a hash collision resulting in high CPU consumption via a specially crafted form sent in a HTTP POST request.
The arbitrary remote code execution vulnerability (CVE-2012-0830), exist due to the improper patch released for CVE-2011-4885 with the poor implementation of "max_input_var" introduced in PHP 5.3.9
By exploiting these vulnerabilities, it allows a remote attacker to crash the web server that is running PHP or potentially execute code on it. 
3.0 Affected Products
- Hash collision denial of service vulnerability (CVE-2011-4885)
- Arbitrary remote code execution vulnerability (CVE-2012-0830)
Users are recommended to upgrade to PHP 5.3.10, which has properly fix both vulnerabilities mention above.
Additionally, users are also recommended to enable Suhosin if at all possible. More information on Suhosin can be obtained here:
Users with mod_security may refer to SpiderLabs's blog post on the mitigation for the DOS vulnerability (if PHP upgrade is not possible)
Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor. For any enquiries, MyCERT can be reached through the following channels:
E-mail : firstname.lastname@example.org
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT