Play 1.2.4 vulnerable to hash collision attack

233 views
Skip to first unread message

svenkubiak

unread,
Jan 16, 2012, 4:00:32 AM1/16/12
to play-framework
Hey everyone,

i saw the ticket (https://play.lighthouseapp.com/projects/57987/
tickets/1353-play-124-vulnerable-to-hash-collision-attack) in the bug
tracker concerning the hash collision attack described in
http://www.nruns.com/_downloads/advisory28122011.pdf.

Wasn't this already fixed with the Security Update in Version 1.2.3?
The recommended way to adress this issues is to randomize the hash-
function, but in the bug description i can see that we "only" limit
the post data?

Regards
Sven

Morten Kjetland

unread,
Jan 16, 2012, 4:24:06 AM1/16/12
to play-fr...@googlegroups.com
The ticket is fixed in 1.2.x-branch.

I fixed it the same way tomcat has done it - by having a default maxlimit of max params at 1000 items.

I have tested that 1000 hash collisions does not cause a noticeable cpu load and therefor is fixing this problem.

remember: A server is always vulnerable to Denial of Service-attacs (DOS). A typical DOS requires a lot of bandwidth to be able to take the server down.

What was special with this hash-collision-attack was that it required a small bandwidth - A single attacker could send one "small" form (containing for example 40000 elements) - which would consume a lot of cpu -> server stops responding.

The fix prevents this from only accepting max 1000

-Morten


--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To post to this group, send email to play-fr...@googlegroups.com.
To unsubscribe from this group, send email to play-framewor...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/play-framework?hl=en.


Ebenezer Olanrewaju

unread,
Jan 20, 2012, 3:57:37 PM1/20/12
to play-fr...@googlegroups.com
Hello Morten,

"I fixed it the same way tomcat has done it - by having a default maxlimit of max params at 1000 items."

Could you be kind enough to explain how to set the max params?

Thanks.

Regards,
Ebenezer Olanrewaju

----- Original Message -----
From: "Morten Kjetland" <morten....@gmail.com>
To: play-fr...@googlegroups.com
Sent: Monday, January 16, 2012 10:24:06 AM
Subject: Re: [play-framework] Play 1.2.4 vulnerable to hash collision attack

The ticket is fixed in 1.2.x-branch.


I fixed it the same way tomcat has done it - by having a default maxlimit of max params at 1000 items.


I have tested that 1000 hash collisions does not cause a noticeable cpu load and therefor is fixing this problem.


remember: A server is always vulnerable to Denial of Service-attacs (DOS). A typical DOS requires a lot of bandwidth to be able to take the server down.


What was special with this hash-collision-attack was that it required a small bandwidth - A single attacker could send one "small" form (containing for example 40000 elements) - which would consume a lot of cpu -> server stops responding.


The fix prevents this from only accepting max 1000


-Morten


On Mon, Jan 16, 2012 at 10:00 AM, svenkubiak < svenk...@googlemail.com > wrote:


Hey everyone,

i saw the ticket ( https://play.lighthouseapp.com/projects/57987/

tickets/1353-play-124-vulnerable-to-hash-collision-attack ) in the bug

Morten Kjetland

unread,
Jan 20, 2012, 4:01:14 PM1/20/12
to play-fr...@googlegroups.com

http.maxParams in application.conf

Info here: https://github.com/playframework/play/commit/df9713b3dda751dd626925ba523bcc93eed958c3

-morten

Ebenezer Olanrewaju

unread,
Jan 20, 2012, 11:37:49 PM1/20/12
to play-fr...@googlegroups.com
Thanks.
Reply all
Reply to author
Forward
0 new messages