So what actually causes the collision? Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Apr 4, 2013 10:10 PM, "Pete Freitag" <[email protected]> wrote:
> > Just to give you an idea with 80,000 post params that caused a hash > collision it took my quad core desktop 31 minutes to respond to the > request, sending a larger number of post params 120,000 that did not have a > collision executed in 3 seconds. So what is safe really depends on your > tolerance and CPU processing power. > > With 1000 colliding params you can probably cause a few seconds of > processing time on the server. > > -- > Pete Freitag - Adobe Community Professional > http://foundeo.com/ - ColdFusion Consulting & Products > http://hackmycf.com - Is your ColdFusion Server Secure? > http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 > minutes > > > > On Thu, Apr 4, 2013 at 4:57 PM, Chris <[email protected]> wrote: > > > > > How many is too many post parameters? > > > > > > We've had a few applications fail with the new postParametersLimit in > CHF4 > > (the included Security Hotfix APSB12-06, > > http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html ) > > > > Even increasing postParametersLimit from 100 to 200 isn't enough -- one > > application uses 1006 post parameters ( !! ) > > > > > > So given that this is a denial of service attack prevention, how risky is > > it letting 1100 post parameters go through with every request? I'm > figuring > > a real DoS attack would have a lot more than 1100 parameters, but setting > > post parameters for 11 times the security update value sounds like poor > > practice. > > > > thank you, > > Chris > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355287 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
