[jboss-jira] [JBoss JIRA] (JBWEB-220) Hashdos fix (maximum parameter limit) in jbossweb 2.0.0GA-CP is incomplete

Pieter Bos (Created) (JIRA) jira-events at lists.jboss.org
Tue Jan 3 09:05:09 EST 2012 

Hashdos fix (maximum parameter limit) in jbossweb 2.0.0GA-CP is incomplete
--------------------------------------------------------------------------

                 Key: JBWEB-220
                 URL: https://issues.jboss.org/browse/JBWEB-220
             Project: JBoss Web
          Issue Type: Bug
      Security Level: Public (Everyone can see)
    Affects Versions: JBossWeb-2.0.0.GA_CP11
            Reporter: Pieter Bos
            Assignee: Remy Maucherat


Because i do not want our application to be vulnerable to the recently disclosed hashmap collision denial of service attack, i checked if jbossweb was updated for this issue. This seemed to be the case.

However, when i applied the fix and wrote the following ruby script to test this, the hole still seemed wide open. The fix has been applied to GET requests, but not to POST requests. This only is a problem in version 2.0.0-GA-CP, and it should not be in 2.1 or 3.0. However, i have not tested the other versions.

Script to replicate this, in ruby:

BEGIN OF SCRIPT 

require "net/http"
require "uri"

uri = URI.parse("http://localhost:9090/")
post_data = {}
(1..4000).each do |i|
 post_data[i.to_s]=i.to_s
end

response = Net::HTTP.post_form(uri, post_data)
puts response

END OF SCRIPT

Result:

ruby-1.8.7-p334 :012 > response = Net::HTTP.post_form(uri, post_data)
 => #<Net::HTTPOK 200 OK readbody=true>

This should have been:

#<Net::HTTPInternalServerError 500 Internal Server Error readbody=true> 

The fix is easy:

Revision 1903 in SVN should have fixed the problem. The fix has been applied to GET requests, but not for POST request. On Parameters.java, line 323, in the method addParam, there should be these three lines:

 if (paramHashStringArray.size() >=MAX_COUNT) {
      throw new IllegalStateException("Parameter count exceeded allowed maximum: " + MAX_COUNT);
 }

If you add them, the problem has been solved.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list