Arrays are very popular types of data in PHP and other scripting languages. These types of data that can store a variable number of entries of any type. You can save an unlimited number of entries in the array as you want. This is the main problem of vulnerability known as the Hash collision.
In PHP and other languages ??used to implement web applications, arrays are used to store values, variables such as $ _GET, $ _POST, $ COOKIE, etc.. If you receive a request from a large number of requests values ??to the latest versions of PHP may encounter problems.
Let me explain what the problem is superficial. PHP engine performance, which is implemented in C reads the HTTP-request data and build arrays to store the query variables. This happens even before any PHP code starts running.
In C and other languages, arrays are implemented as data structures, called the hash table. In simplified terms, hash tables are arrays of linked lists of records.These arrays have a fixed size.
Every time you want to add a new entry in the hash table to calculate the hash value for a new key element of the array. This hash value is an integer that specifies in which a linked list of the new array will be added.
Once the hash code table defines a linked list that belongs to a new record, it determines whether there is already an entry with the same array key is that the linked list. If there are no records with the same key value, the new value of the array element is added to the linked list. Otherwise, the new value replaces the old record entry with the same key.
This is a process that is fast enough, if the number of entries in the array is relatively small. However, if the array has a very large number of entries, insert new records performance starts degrading.
This problem can be greatly exacerbated if the key values ??that will be added to the array have the same hash value, that is, they will be added to the same linked list.
The fact that some security researchers have discovered a way to easily identify a large number of sets of keys which can be used to make HTTP-request with many variables request (GET, POST, COOKIE, etc..) What can PHP take a few hours or, perhaps more to process a single HTTP request simply by PHP to consume all the CPU is to make the request variable arrays.
This means that even a relatively small number of requests an attacker can make PHP consume all the CPU it gets, until the car almost stops if something kills the affected process PHP.
As already mentioned, other languages ??also suffer from this problem because they use similar algorithms for hashing table. Question PHP is actually worse, because PHP is a very popular web programming language. According to researchers, 77% of Web servers running PHP.
Despite this explanation is very technical, it’s still a bit simplistic. If you want to learn more about the low detail level, you can watch a video conference, at which security researchers reported vulnerabilities.