Hash collision DoS

Have been dealing with this vulnerability a little bit. Amusingly, my old favorite Perl has had the fix for this for years – salt the hash randomly so an attacker can’t predict how your entries will hash. That’s really the only fix, because while you might be able to mitigate the specific case of hashing CGI parameters, anything that takes user input in any form from potentially malicious clients could be vulnerable. That’s a pretty wide use case.

Of course, if the bad guys don’t know how the processing of input is implemented, it will be tricky for them to find the hole to exploit. So I suppose blocking the specific method (as Tomcat did by limiting the number of parameters it will hash) serves to block opportunistic attacks. But it may still leave possibilities for those who are really determined to cause havoc with a specific site.

 

Advertisements

Trying out mod_fcgid

mod_fcgid is an Apache httpd module that sets up a separate daemon for processing CGI requests. It’s like mod_cgid but it keeps a pool of processes running rather than spin up one each time a script needs execution. SpringSource ERS 4 comes with it but you have to enable the module and configure.

Official docs: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html Continue reading