Author: zores <hi>     Reply to Message
Date: 5/22/2017 6:33:47 PM
Subject: RE: Fastest internet EVAR?!

Using that info disclosure, I google'd your debian based php.

https://security-tracker.debian.org/tracker/source-package/php5

The most interesting one for me is trivial hash complexity DoS attack

https://security-tracker.debian.org/tracker/TEMP-0800564-79703B

https://github.com/bk2204/php-hash-dos

How do I know if my PHP app is vulnerable?

If your PHP app accepts JSON or YAML input from the user, or accepts untrusted input and inserts that input as keys in a hash, your application is likely vulnerable. An example JSON file with 1048576 entries is in the example directory. You can upload part or all of this file to your application and see how it performs.

On a 2.8 GHz Core i7, a JSON file containing 65536 entries takes the scripts/exploited.php script 5.358 seconds to process with PHP 7. With twice as many entries, it takes 21 seconds to process. PHP 5.6 performs much worse: the smaller file itself takes 22 seconds.
_