Fedora, PHP, and the hash collision

There’s a very good post on Ars Technica forums about testing Linux servers running PHP for the hash collision vulnerability. I tested my Fedora 15 system as described and found that it was vulnerable.

Patching the vulnerability, however, seems to be described in the original post with Ubuntu in mind.  On my Fedora system, the steps had to be slightly different. Here’s what I did to apply the patch.

1. Log in as root:

[me@myserver html]$ su

Enter the root password when asked.

2. Install the Suhosin patch:

[root@myserver html]# yum install php-suhosin

On my system, this command has installed the php-suhosin- package from the fedora repository.

3. Restart Apache:

[root@myserver html]# apachectl restart

4. Check the value of the suhosin.post.max_vars configuration variable; it should be set to 1000 or less.  (I actually did it by viewing the output of phpinfo() in browser, so no command line here…  Speaking of the phpinfo() output, the location of the suhosin.ini file is also displayed, so if you need to edit it, you can find out where it is.)

5. Test for the vulnerability again as described in the original post:

[root@myserver html]# wget -O - --post-file /tmp/hashcollide.txt

In my case, the vulnerability was fixed.

Leave a Reply

Your email address will not be published. Required fields are marked *