Just about a month ago, PHP 5.3.9 was released, which included a patch for the “hash collision” problem. The basic hash collision problem affected various languages, including php and .Net (Microsoft fixed the issue in an out of band patch 2011-100 in late December).
PHP fixed the issue not by introducing a new hash function, but instead it limited the number of input parameters. Just like the php hardening patch suhosin did all along, PHP now supported a “max_input_var” parameter to limit the number of input parameters a request may send. The default limit was set to 1,000, plenty for most web applications.
Sadly, the fix was implemented incorrectly, and introduced a more severe vulnerability, a remote code execution vulnerability. Thats right: An attacker could craft a request, that will execute code on a web server running PHP 5.3.9.
Today, the PHP team released PHP 5.3.10 to address the issue.
If you are running PHP 5.3.9: PATCH NOW! This is a very critical bug. Read More