You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Gadi Katsovich <ga...@yahoo.com> on 2011/12/30 10:35:02 UTC
POST form parameter parsing order
Hello All,
I am using Tomcat 5.5.30 and am affected by the hashtable collision DoS vulnerability.
I wanted to know if the Request parameter parsing is always invoked?
Or is it only performed once a servlet asks for a parameter? Meaning if my servlets don't ask for a parameter, then no hashing, then no vulnerability?
Thank you.
Re: POST form parameter parsing order
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Konstantin,
On 12/30/11 3:53 PM, Konstantin Kolinko wrote:
> 2011/12/30 Christopher Schultz <ch...@christopherschultz.net>:
>>
>> On 12/30/11 4:35 AM, Gadi Katsovich wrote:
>>> I am using Tomcat 5.5.30 and am affected by the hashtable
>>> collision DoS vulnerability.
>>
>> Just wondering: are you actually under attack, or are you just
>> saying that you are vulnerable?
>>
>> I would venture a guess that most sites are currently vulnerable,
>> as 7.0.23 as a somewhat recent release (and has a nasty bug which
>> is easily corrected with trivial configuration) and 6.0.34 was
>> never released.
>
> If you haven't noticed yet, there is 6.0.35.
Sorry, I always forget that the website changelog is perpetually a
version behind with release dates. :(
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7+JWIACgkQ9CaO5/Lv0PCOgQCeK1kAziwl+pyQVeuFKGmSwRuB
39AAnjU3xPmWb58hgFEED5h1vtsHjg6P
=XH05
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: POST form parameter parsing order
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/12/30 Christopher Schultz <ch...@christopherschultz.net>:
>
> On 12/30/11 4:35 AM, Gadi Katsovich wrote:
>> I am using Tomcat 5.5.30 and am affected by the hashtable collision
>> DoS vulnerability.
>
> Just wondering: are you actually under attack, or are you just saying
> that you are vulnerable?
>
> I would venture a guess that most sites are currently vulnerable, as
> 7.0.23 as a somewhat recent release (and has a nasty bug which is
> easily corrected with trivial configuration) and 6.0.34 was never
> released.
If you haven't noticed yet, there is 6.0.35.
> 5.5.x does not yet have a release version that includes the fix.
>
> Something you can do in the meantime is to limit the max POST size to
> something less than the default (which is 2MiB)... maybe 100KiB or
> whatever will meet your webapp's requirements.
>
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: POST form parameter parsing order
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gadi,
On 12/30/11 4:35 AM, Gadi Katsovich wrote:
> I am using Tomcat 5.5.30 and am affected by the hashtable collision
> DoS vulnerability.
Just wondering: are you actually under attack, or are you just saying
that you are vulnerable?
I would venture a guess that most sites are currently vulnerable, as
7.0.23 as a somewhat recent release (and has a nasty bug which is
easily corrected with trivial configuration) and 6.0.34 was never
released. 5.5.x does not yet have a release version that includes the fix.
Something you can do in the meantime is to limit the max POST size to
something less than the default (which is 2MiB)... maybe 100KiB or
whatever will meet your webapp's requirements.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk79/TYACgkQ9CaO5/Lv0PBBkACdFwFSGYKHJaF4LLnB813Yxx2D
X7oAoJ2Od5xMIM6M+vRNKWeGe1M6Z2MI
=8Fwl
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: POST form parameter parsing order
Posted by ma...@apache.org.
Gadi Katsovich <ga...@yahoo.com> wrote:
>Hello All,
>I am using Tomcat 5.5.30 and am affected by the hashtable collision DoS
>vulnerability.
>I wanted to know if the Request parameter parsing is always invoked?
>
>Or is it only performed once a servlet asks for a parameter? Meaning if
>my servlets don't ask for a parameter, then no hashing, then no
>vulnerability?
>
>
>
>Thank you.
For all Tomcat versions, parameters are only parsed when required. Ie if nothing tries to read a parameter name or value then the parameters will not be parsed.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org