Hashdos fix (maximum parameter limit) in jbossweb 2.0.0GA-CP is incomplete -------------------------------------------------------------------------- Key: JBWEB-220 URL: https://issues.jboss.org/browse/JBWEB-220 Project: JBoss Web Issue Type: Bug Security Level: Public (Everyone can see) Affects Versions: JBossWeb-2.0.0.GA_CP11 Reporter: Pieter Bos Assignee: Remy Maucherat Because i do not want our application to be vulnerable to the recently disclosed hashmap collision denial of service attack, i checked if jbossweb was updated for this issue. This seemed to be the case. However, when i applied the fix and wrote the following ruby script to test this, the hole still seemed wide open. The fix has been applied to GET requests, but not to POST requests. This only is a problem in version 2.0.0-GA-CP, and it should not be in 2.1 or 3.0. However, i have not tested the other versions. Script to replicate this, in ruby: BEGIN OF SCRIPT require "net/http" require "uri" uri = URI.parse("http://localhost:9090/") post_data = {} (1..4000).each do |i| post_data[i.to_s]=i.to_s end response = Net::HTTP.post_form(uri, post_data) puts response END OF SCRIPT Result: ruby-1.8.7-p334 :012 > response = Net::HTTP.post_form(uri, post_data) => #<Net::HTTPOK 200 OK readbody=true> This should have been: #<Net::HTTPInternalServerError 500 Internal Server Error readbody=true> The fix is easy: Revision 1903 in SVN should have fixed the problem. The fix has been applied to GET requests, but not for POST request. On Parameters.java, line 323, in the method addParam, there should be these three lines: if (paramHashStringArray.size() >=MAX_COUNT) { throw new IllegalStateException("Parameter count exceeded allowed maximum: " + MAX_COUNT); } If you add them, the problem has been solved. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira