FOLLOW US ON FACEBOOK!
Thursday, December 29, 2011
HashDOS: Important Vulnerability Coming Into The Spotlight.
VIA SECURITYPRONEWS.com
Qushawn Clark
Contributing Writer
A presentation at a German security conference has many people worried about a this newly realized vulnerability that is present is most web frameworks.
According to a post from Sophos, "The type of hashing used by PHP, Java, Python and JavaScript in this attack is not a cryptographic hash, it is a simple mathematical hash used to speed up storing and retrieving data posted to web pages."
Under normal circumstances, the collisions in the hashes are managed by built-in language constructs and are not really an issue. However, in these types of attacks, the attacker can send pre-calculated values that will result in all of the hash values being the same, which will crash the majority of servers. On that same Sophos post, they stated that, "An example given showed how submitting approximately two megabytes of values that all compute to the same hash causes the web server to do more than 40 billion string comparisons." which is an nearly inconceivable for just looking some data for a webpage.
Apparently the keepers of the language Perl, went ahead and did something about this vulnerability some time ago, but nobody else followed suit, so they are all at risk. Hopefully, the people behind PHP, Python, and other applicable languages will actually pay attention this time and go ahead and make the necessary changes.
View All Articles by Qushawn Clark
About the Author:
Qushawn is a staff writer for the iEntry Network.
Qushawn Clark Contributing Writer
A presentation at a German security conference has many people worried about a this newly realized vulnerability that is present is most web frameworks.
 |
| HashDOS: Important Vulnerability Coming into the Spotlight. |
 |
According to a post from Sophos, "The type of hashing used by PHP, Java, Python and JavaScript in this attack is not a cryptographic hash, it is a simple mathematical hash used to speed up storing and retrieving data posted to web pages."
Under normal circumstances, the collisions in the hashes are managed by built-in language constructs and are not really an issue. However, in these types of attacks, the attacker can send pre-calculated values that will result in all of the hash values being the same, which will crash the majority of servers. On that same Sophos post, they stated that, "An example given showed how submitting approximately two megabytes of values that all compute to the same hash causes the web server to do more than 40 billion string comparisons." which is an nearly inconceivable for just looking some data for a webpage.
Apparently the keepers of the language Perl, went ahead and did something about this vulnerability some time ago, but nobody else followed suit, so they are all at risk. Hopefully, the people behind PHP, Python, and other applicable languages will actually pay attention this time and go ahead and make the necessary changes.
View All Articles by Qushawn Clark
About the Author:
Qushawn is a staff writer for the iEntry Network.
