The vulnerability is caused by hash collisions, so if two strings hash to the same value, for example the result of java's hashCode() function on the name of a form field, then the hash table data structure becomes very inefficient. ColdFusion uses some sort of hash table algorithm to store the form fields (as well as url fields, cookies, etc but these are typically limited in size which makes them less of a target for this attack). CF was not the only technology to get hit by this issue many others including ASP.NET, node.js, j2ee/Tomcat, etc.
Typically a hash table algorithm will account for collisions by putting all objects with the same hash code in a bucket, and then does a comparison of each value in the bucket to fetch the correct one, or to see if it is a duplicate when adding a new entry. You can see how the bucket could get very big, and operations on it get slower and slower with each collision added to the bucket if an attacker crafts a request with thousands of input variables whose names all collide to the same hash code. Under normal circumstances having 1000 form fields will not cause any collisions at all, and hash table lookups are quite fast. You may still want to limit the overall size of a request, but the HashDOS can be relatively small (eg 1-2mb) so that is why limiting the number of fields is considered the best protection. I wrote a blog entry on this a while back that also explains it as well: http://www.petefreitag.com/item/808.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Apr 4, 2013 at 5:23 PM, Russ Michaels <r...@michaels.me.uk> wrote: > > So what actually causes the collision? > > Regards > Russ Michaels > www.michaels.me.uk > www.cfmldeveloper.com - Free CFML hosting for developers > www.cfsearch.com - CF search engine > On Apr 4, 2013 10:10 PM, "Pete Freitag" <p...@foundeo.com> wrote: > > > > > Just to give you an idea with 80,000 post params that caused a hash > > collision it took my quad core desktop 31 minutes to respond to the > > request, sending a larger number of post params 120,000 that did not > have a > > collision executed in 3 seconds. So what is safe really depends on your > > tolerance and CPU processing power. > > > > With 1000 colliding params you can probably cause a few seconds of > > processing time on the server. > > > > -- > > Pete Freitag - Adobe Community Professional > > http://foundeo.com/ - ColdFusion Consulting & Products > > http://hackmycf.com - Is your ColdFusion Server Secure? > > http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 > > minutes > > > > > > > > On Thu, Apr 4, 2013 at 4:57 PM, Chris <0404tow...@gmail.com> wrote: > > > > > > > > How many is too many post parameters? > > > > > > > > > We've had a few applications fail with the new postParametersLimit in > > CHF4 > > > (the included Security Hotfix APSB12-06, > > > http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html ) > > > > > > Even increasing postParametersLimit from 100 to 200 isn't enough -- one > > > application uses 1006 post parameters ( !! ) > > > > > > > > > So given that this is a denial of service attack prevention, how risky > is > > > it letting 1100 post parameters go through with every request? I'm > > figuring > > > a real DoS attack would have a lot more than 1100 parameters, but > setting > > > post parameters for 11 times the security update value sounds like poor > > > practice. > > > > > > thank you, > > > Chris > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355289 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
