Thanks for your comments, Pete, Dave. Good links, Pete, that really helped me understand what's going on. Interesting to see such variation in default number of postParameters in ASP.net (1,000), Tomcat (10,000) and ColdFusion (100).
We identified that most of the 1,006 postParameters in that one application are actually blank ( !! ). And yes, we think a rewrite is in order. Regards, Chris On Thu, Apr 4, 2013 at 11:53 PM, Pete Freitag <[email protected]> wrote: > > The vulnerability is caused by hash collisions, so if two strings hash to > the same value, for example the result of java's hashCode() function on the > name of a form field, then the hash table data structure becomes very > inefficient. ColdFusion uses some sort of hash table algorithm to store > the form fields (as well as url fields, cookies, etc but these are > typically limited in size which makes them less of a target for this > attack). CF was not the only technology to get hit by this issue many > others including ASP.NET, node.js, j2ee/Tomcat, etc. > > Typically a hash table algorithm will account for collisions by putting all > objects with the same hash code in a bucket, and then does a comparison of > each value in the bucket to fetch the correct one, or to see if it is a > duplicate when adding a new entry. You can see how the bucket could get > very big, and operations on it get slower and slower with each collision > added to the bucket if an attacker crafts a request with thousands of input > variables whose names all collide to the same hash code. > > Under normal circumstances having 1000 form fields will not cause any > collisions at all, and hash table lookups are quite fast. You may still > want to limit the overall size of a request, but the HashDOS can be > relatively small (eg 1-2mb) so that is why limiting the number of fields is > considered the best protection. > > I wrote a blog entry on this a while back that also explains it as well: > http://www.petefreitag.com/item/808.cfm > > -- > Pete Freitag - Adobe Community Professional > http://foundeo.com/ - ColdFusion Consulting & Products > http://hackmycf.com - Is your ColdFusion Server Secure? > http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 > minutes > > > > On Thu, Apr 4, 2013 at 5:23 PM, Russ Michaels <[email protected]> wrote: > > > > > So what actually causes the collision? > > > > Regards > > Russ Michaels > > www.michaels.me.uk > > www.cfmldeveloper.com - Free CFML hosting for developers > > www.cfsearch.com - CF search engine > > On Apr 4, 2013 10:10 PM, "Pete Freitag" <[email protected]> wrote: > > > > > > > > Just to give you an idea with 80,000 post params that caused a hash > > > collision it took my quad core desktop 31 minutes to respond to the > > > request, sending a larger number of post params 120,000 that did not > > have a > > > collision executed in 3 seconds. So what is safe really depends on your > > > tolerance and CPU processing power. > > > > > > With 1000 colliding params you can probably cause a few seconds of > > > processing time on the server. > > > > > > -- > > > Pete Freitag - Adobe Community Professional > > > http://foundeo.com/ - ColdFusion Consulting & Products > > > http://hackmycf.com - Is your ColdFusion Server Secure? > > > http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 > > > minutes > > > > > > > > > > > > On Thu, Apr 4, 2013 at 4:57 PM, Chris <[email protected]> wrote: > > > > > > > > > > > How many is too many post parameters? > > > > > > > > > > > > We've had a few applications fail with the new postParametersLimit in > > > CHF4 > > > > (the included Security Hotfix APSB12-06, > > > > http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html) > > > > > > > > Even increasing postParametersLimit from 100 to 200 isn't enough -- > one > > > > application uses 1006 post parameters ( !! ) > > > > > > > > > > > > So given that this is a denial of service attack prevention, how > risky > > is > > > > it letting 1100 post parameters go through with every request? I'm > > > figuring > > > > a real DoS attack would have a lot more than 1100 parameters, but > > setting > > > > post parameters for 11 times the security update value sounds like > poor > > > > practice. > > > > > > > > thank you, > > > > Chris > > > > > > > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355293 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
