The PHP developers are working to fix a critical security vulnerability in PHP that they introduced with a recent security patch. The current stable release is affected; however, it is not yet clear whether the questionable patch was also applied to older versions.
The cause of the problem is the security update to PHP 5.3.9, which was written to prevent denial of service (DoS) attacks using hash collisions. To do so, the developers limited the maximum possible number of input parameters to 1,000 in php_variables.c using max_input_vars. Because of mistakes in the implementation, hackers can intentionally exceed this limit and inject and execute code. The bug is considered to be critical as code can be remotely injected over the web.

The link for this article located at H Security is no longer available.