[jboss-jira] [JBoss JIRA] (JBWEB-220) Hashdos fix (maximum parameter limit) in jbossweb 2.0.0GA-CP is incomplete

Tue Jan 3 09:26:10 EST 2012

    [ https://issues.jboss.org/browse/JBWEB-220?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12653511#comment-12653511 ] 

Remy Maucherat commented on JBWEB-220:
--------------------------------------

The idea was to patch without making complex optimizations in 2.0, but the check was not placed in the right location. 2.1+ does not use a hashmap based code, and could only benefit from byte[] -> String and parsing optimizations (but actually benefits mostly from limiting parameters and headers counts to reasonable amounts, since not doing so could end up using lots of memory).

> Hashdos fix (maximum parameter limit) in jbossweb 2.0.0GA-CP is incomplete
> --------------------------------------------------------------------------
>
>                 Key: JBWEB-220
>                 URL: https://issues.jboss.org/browse/JBWEB-220
>             Project: JBoss Web
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: JBossWeb-2.0.0.GA_CP11
>            Reporter: Pieter Bos
>            Assignee: Remy Maucherat
>
> Because i do not want our application to be vulnerable to the recently disclosed hashmap collision denial of service attack, i checked if jbossweb was updated for this issue. This seemed to be the case.
> However, when i applied the fix and wrote the following ruby script to test this, the hole still seemed wide open. The fix has been applied to GET requests, but not to POST requests. This only is a problem in version 2.0.0-GA-CP, and it should not be in 2.1 or 3.0. However, i have not tested the other versions.
> Script to replicate this, in ruby:
> BEGIN OF SCRIPT 
> require "net/http"
> require "uri"
> uri = URI.parse("http://localhost:9090/")
> post_data = {}
> (1..4000).each do |i|
>  post_data[i.to_s]=i.to_s
> end
> response = Net::HTTP.post_form(uri, post_data)
> puts response
> END OF SCRIPT
> Result:
> ruby-1.8.7-p334 :012 > response = Net::HTTP.post_form(uri, post_data)
>  => #<Net::HTTPOK 200 OK readbody=true>
> This should have been:
> #<Net::HTTPInternalServerError 500 Internal Server Error readbody=true> 
> The fix is easy:
> Revision 1903 in SVN should have fixed the problem. The fix has been applied to GET requests, but not for POST request. On Parameters.java, line 323, in the method addParam, there should be these three lines:
>  if (paramHashStringArray.size() >=MAX_COUNT) {
>       throw new IllegalStateException("Parameter count exceeded allowed maximum: " + MAX_COUNT);
>  }
> If you add them, the problem has been solved.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira