CVE-2011-4885

PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00013.html
http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00016.html
http://marc.info/?l=bugtraq&m=132871655717248&w=2
http://marc.info/?l=bugtraq&m=133469208622507&w=2
http://rhn.redhat.com/errata/RHSA-2012-0071.html
http://secunia.com/advisories/47404
http://secunia.com/advisories/48668
http://support.apple.com/kb/HT5281
http://svn.php.net/viewvc?view=revision&revision=321003
http://svn.php.net/viewvc?view=revision&revision=321040
http://www.debian.org/security/2012/dsa-2399
http://www.exploit-db.com/exploits/18296
http://www.exploit-db.com/exploits/18305
http://www.kb.cert.org/vuls/id/903934	US Government Resource
http://www.mandriva.com/security/advisories?name=MDVSA-2011:197
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
http://www.nruns.com/_downloads/advisory28122011.pdf
http://www.ocert.org/advisories/ocert-2011-003.html
http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
http://www.redhat.com/support/errata/RHSA-2012-0019.html
http://www.securityfocus.com/bid/51193
http://www.securitytracker.com/id?1026473
https://exchange.xforce.ibmcloud.com/vulnerabilities/72021
https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php:5.0.0:::::::*
	cpe:2.3:a:php:php:5.0.0:beta1::::::
	cpe:2.3:a:php:php:5.0.0:beta2::::::
	cpe:2.3:a:php:php:5.0.0:beta3::::::
	cpe:2.3:a:php:php:5.0.0:beta4::::::
	cpe:2.3:a:php:php:5.0.0:rc1::::::
	cpe:2.3:a:php:php:5.0.0:rc2::::::
	cpe:2.3:a:php:php:5.0.0:rc3::::::
	cpe:2.3:a:php:php:5.0.1:::::::*
	cpe:2.3:a:php:php:5.0.2:::::::*
	cpe:2.3:a:php:php:5.0.3:::::::*
	cpe:2.3:a:php:php:5.0.4:::::::*
	cpe:2.3:a:php:php:5.0.5:::::::*
	cpe:2.3:a:php:php:5.1.1:::::::*
	cpe:2.3:a:php:php:5.1.2:::::::*
	cpe:2.3:a:php:php:5.1.3:::::::*
	cpe:2.3:a:php:php:5.1.4:::::::*
	cpe:2.3:a:php:php:5.1.5:::::::*
	cpe:2.3:a:php:php:5.1.6:::::::*
	cpe:2.3:a:php:php:5.2.0:::::::*
	cpe:2.3:a:php:php:5.2.1:::::::*
	cpe:2.3:a:php:php:5.2.2:::::::*
	cpe:2.3:a:php:php:5.2.3:::::::*
	cpe:2.3:a:php:php:5.2.4:::::::*
	cpe:2.3:a:php:php:5.2.5:::::::*
	cpe:2.3:a:php:php:5.2.6:::::::*
	cpe:2.3:a:php:php:5.2.7:::::::*
	cpe:2.3:a:php:php:5.2.8:::::::*
	cpe:2.3:a:php:php:5.2.9:::::::*
	cpe:2.3:a:php:php:5.2.10:::::::*
	cpe:2.3:a:php:php:5.2.11:::::::*
	cpe:2.3:a:php:php:5.2.12:::::::*
	cpe:2.3:a:php:php:5.2.14:::::::*
	cpe:2.3:a:php:php:5.2.15:::::::*
	cpe:2.3:a:php:php:5.2.16:::::::*
	cpe:2.3:a:php:php:5.2.17:::::::*
	cpe:2.3:a:php:php:5.3.0:::::::*
	cpe:2.3:a:php:php:5.3.1:::::::*
	cpe:2.3:a:php:php:5.3.2:::::::*
	cpe:2.3:a:php:php:5.3.3:::::::*
	cpe:2.3:a:php:php:5.3.4:::::::*
	cpe:2.3:a:php:php:5.3.5:::::::*
	cpe:2.3:a:php:php:5.3.6:::::::*
	cpe:2.3:a:php:php:5.3.7:::::::*

History

No history.

Information

Published : 2011-12-30 01:55

Updated : 2024-02-04 17:54

NVD link : CVE-2011-4885

Mitre link : CVE-2011-4885

CVE.ORG link : CVE-2011-4885

JSON object : View

Products Affected

php

CWE

CWE-20

Improper Input Validation

5.0 /10