HashDOS and ColdFusion
By Pete Freitag
Earlier this week at the 28C3 security conference in Berlin researchers presented on a denial of service (DOS) technique that several web application platforms (PHP, ASP.NET, Node.js, Tomcat, Java's HashMap/Hashtable etc) are vulnerable to, known as
The exploit takes advantage of hash collisions in the internal implementation of hashtables / hashmaps (think CFML
struct). When two keys are hashed and result in the same hash code a collision occurrs, and additional processing must take place to store or retrieve the item. Most application servers store request input variable (eg form, url scopes) in such a data structure. If you can construct a request with variable names that all have the same internal hashcode, the request goes from taking less than a second to process to several minutes.
As you can imagine this can cause a server to crawl/crash pretty quickly with a relatively small payload. Microsoft has released an out of band security patch for ASP.NET already. Tomcat has provided a work around in versions 7.0.23 or 6.0.35 and up.
The typical patch / workaround for this issue is to limit the number of input request variables, ASP.NET defaults this limit to 1000, tomcat defaults to 10,000.
Update: - Adobe has released a security hotfix to address this issue on ColdFusion 8 and 9. If you are running CF 6 or 7 you may still be vulnerable to this but Adobe no longer produces security hotfixes for these versions (upgrade to CF 8 or above).
To learn more about the mitigation that Adobe ColdFusion has put into place for HashDOS you can read my follow up post: Understanding HashDos and postParameterLimit.
HashDOS and ColdFusion was first published on December 30, 2011.
If you like reading about coldfusion, java, tomcat, hashdos, hash, security, or jrun then you might also like:
- OpenSSL and ColdFusion / Lucee / Tomcat
- Spring4Shell and ColdFusion
- Log4j CVE-2021-44228 Log4Shell Vulnerability on ColdFusion / Lucee
- J2EE Sessions in CF10 Uses Secure Cookies
The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.