• April 4, 2012

    Beware of max_input_vars php ini configuration option

    If you are updating PHP on your production server, beware of relatively new max_input_vars php.ini directive which is now 1000 by default. That means if you have 1001 form field - only 1000 form fields will be submitted. Use of this directive mitigates the possibility of denial of service attacks which use hash collisions in connection with CVE-2011-4885.

    From php changelog:

    2012-01-03 : security / trunk - Added php-5.2-max-input-vars patch max_input_vars directive to prevent attacks based on hash collisions - CVE-2011-4885

    Why we have so much form fields is a subject for different post. The main problem is that even php site says this update is available from PHP version 5.3.9. The fact is we have 5.3.2-1ubuntu4.14 and the update is there.

    So... you know... beware. :)

Reader comments:

  1.  

    July 11, 2012 @ 15:57

    Sascha says:

    Same problem with PHP PHP 5.1.6 (!) on prroduktiv Redhat ES Server

  2.  

    July 26, 2012 @ 23:50

    Thiago Cruz says:

    Thank you for posting that…by the way we had problems with this directive using version
    5.3.2-1ubuntu4.15.

  3.  

    January 12, 2014 @ 14:45

    Jason Judge says:

    To help warn people of this problem, I have created a plugin for WordPress:

    http://wordpress.org/plugins/wp-max-submit-protect/

    This plugin will monitor, at the front end, how many fields a form is about to post. If it exceeds the server limit, then it will warn you and give you a chance to cancel the submit, fix your server settings, then try submitting again. Hope you find it useful.

Have your say:

 
This blog is Gravatar friendly. Don't have Gravatar? Get one fast!
 

Proudly running on Word Press, and above all, proudly using Comic Sans.

Nivas.hr © Copyright 2009    All right reserved    Made in Croatia Yeah, we made our own site!Nivas.hr