Beware of max_input_vars php ini configuration option

Author: seven April 4, 2012

If you are updating PHP on your production server, beware of relatively new max_input_vars php.ini directive which is now 1000 by default. That means if you have 1001 form field - only 1000 form fields will be submitted. Use of this directive mitigates the possibility of denial of service attacks which use hash collisions in connection with CVE-2011-4885.

From php changelog:

2012-01-03 : security / trunk - Added php-5.2-max-input-vars patch max_input_vars directive to prevent attacks based on hash collisions - CVE-2011-4885

Why we have so much form fields is a subject for different post. The main problem is that even php site says this update is available from PHP version 5.3.9. The fact is we have 5.3.2-1ubuntu4.14 and the update is there.

So... you know... beware. :)

CEO/CTO at Nivas®
Neven Jacmenović has been passionately involved with computers since late 80s, the age of Atari and Commodore Amiga. As one of internet industry pioneers in Croatia, since 90s, he has been involved in making of many award winning, innovative and successful online project. He is experienced full stack web developer, analyst and system engineer. In his spare time, Neven is transforming retro-futuristic passion into various golang, Adobe Flash and JavaScript/WebGL projects.

    3 thoughts on “Beware of max_input_vars php ini configuration option”

  • Same problem with PHP PHP 5.1.6 (!) on prroduktiv Redhat ES Server

  • Thank you for posting that…by the way we had problems with this directive using version

  • To help warn people of this problem, I have created a plugin for WordPress:

    This plugin will monitor, at the front end, how many fields a form is about to post. If it exceeds the server limit, then it will warn you and give you a chance to cancel the submit, fix your server settings, then try submitting again. Hope you find it useful.

  • Leave a Reply

    Your email address will not be published. Required fields are marked *