Hashdos fix (maximum parameter limit) in jbossweb 2.0.0GA-CP is incomplete
--------------------------------------------------------------------------
Key: JBWEB-220
URL:
https://issues.jboss.org/browse/JBWEB-220
Project: JBoss Web
Issue Type: Bug
Security Level: Public (Everyone can see)
Affects Versions: JBossWeb-2.0.0.GA_CP11
Reporter: Pieter Bos
Assignee: Remy Maucherat
Because i do not want our application to be vulnerable to the recently disclosed hashmap
collision denial of service attack, i checked if jbossweb was updated for this issue. This
seemed to be the case.
However, when i applied the fix and wrote the following ruby script to test this, the hole
still seemed wide open. The fix has been applied to GET requests, but not to POST
requests. This only is a problem in version 2.0.0-GA-CP, and it should not be in 2.1 or
3.0. However, i have not tested the other versions.
Script to replicate this, in ruby:
BEGIN OF SCRIPT
require "net/http"
require "uri"
uri = URI.parse("http://localhost:9090/")
post_data = {}
(1..4000).each do |i|
post_data[i.to_s]=i.to_s
end
response = Net::HTTP.post_form(uri, post_data)
puts response
END OF SCRIPT
Result:
ruby-1.8.7-p334 :012 > response = Net::HTTP.post_form(uri, post_data)
=> #<Net::HTTPOK 200 OK readbody=true>
This should have been:
#<Net::HTTPInternalServerError 500 Internal Server Error readbody=true>
The fix is easy:
Revision 1903 in SVN should have fixed the problem. The fix has been applied to GET
requests, but not for POST request. On Parameters.java, line 323, in the method addParam,
there should be these three lines:
if (paramHashStringArray.size() >=MAX_COUNT) {
throw new IllegalStateException("Parameter count exceeded allowed maximum:
" + MAX_COUNT);
}
If you add them, the problem has been solved.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see:
http://www.atlassian.com/software/jira