The PHP max_input_vars 32bit / 64bit Information Leak Challenge===============

1. The PHP max_input_vars 32bit / 64bit Information Leak Challenge
2. ===============================================================
3.  
4. With the introduction of PHP 5.3.9 there is now a max_input_vars INI
5. directive in PHP that allows you to limit the number of variables
6. that are accepted within one array level. The naming of this setting
7. is a bit troubling, because it is wrong. This setting also does not
8. affect the registration of numerical autoindicies.
9.  
10. Suhosin-Extension has similar features for many years and they
11. affect all variables.
12.  
13. So by now we all know that the introduction of the max_input_vars
14. feature introduced a critical remote code execution vulnerability
15. that was backported into older PHP versions by RedHat, Debian,
16. Centos and maybe others. Therefore it is a good time to upgrade.
17.  
18. ---
19.  
20. Within the XSS community it is common to have some challenges all
21. the time to bypass filters or other kind of things. So now lets
22. have a challenge in the world of PHP:
23.  
24. Due to the new max_input_vars feature there is now the possibility
25. to abuse an older problem in the code to detect with a single HTTP
26. request if the remote system is running a 32 bit or a 64 bit PHP.
27. Knowing this is not a critical security problem, but it allows
28. attackers of remote memory corruption vulnerabilities to better
29. prepare for the target. (This problem affects nearly all PHP
30. applications).
31.  
32. Putting out this challenge does not cause much danger to the PHP
33. community. In the case of the 5.3.9 vulnerability the difference
34. it makes is maybe one less SIGSEGV in the Apache log file, which
35. is not a lot if the brute force exploit would leavel 4000 crashes
36. anyway.
37.  
38. So the challenge is:
39.  
40. --------------------
41.  
42. You have a web app with a PHP 5.3.10 powered HTML formular.
43.  
44. Tell me how you can find out with a single HTTP request that the
45. target is a 32 bit or a 64 bit server.
46.  
47. A last tip: Disable Suhosin-Extension for tests, because it
48. already protects you from this.
49.  
50.  
51.  
52. Please do not discuss the results of this challenge online.
53. I would like to see how many people see the problem and how
54. many fail to see it, after I gave this info.
55.  
56. Instead send your solution to stefan.esser@sektioneins.de
57.  
58. BTW: You can win nothing except for the 14.99999999999999999999
59. seconds of fame