DoS-vulnerability in web programming languages

Posted On // Leave a Comment


At an international conference of experts in IT-technologies Chaos Communication Congress, a report by Alexander Klink (Alexander "alech" Klink) and Julian Velde (Julian "zeri" Wälde), describes a number of serious vulnerabilities in popular web programming languages. Most of the problems researchers have linked with incorrect handling of web forms and the possibility of compromise of a hash table, which can lead to a successful DOS-attacks on Web servers, followed by theft of data, with significant resources for the attack is not required.

The essence of vulnerability researchers describe as follows: Web programming languages ​​- such as PHP, ASP.NET, Java, Python, Ruby - have direct access to computing resources of a computer, a Web application written in these languages ​​are often treated with POST-requests in the automatic mode, in addition, if the application can not use randomized hash function, the attacker can request specially organized to cause a collision of hash values, which may significantly load the server computing resources.

At the moment, PHP 5, Java, and ASP.NET (UPD: Patch released) are completely vulnerable to attack described, while PHP 4, Python, Ruby - partially vulnerable (the report states that most vulnerabilities are based on concepts first introduced more in 2003, but only in Ruby in 2008, appeared correction, partially exclusive use), and the degree of danger depends on the 32-bit or 64-bit architecture.

It is interesting that Microsoft has acknowledged a serious problem and issued an emergency patch that is associated with security bulletin Security Advisory 2659883, which just eliminates the problem of collisions of hash functions in ASP.NET. Released a patch is associated with the correction. NET Framework now supported on all versions of Windows, although well-known incidents of exploitation of the problem is not yet known.

0 comments:

Post a Comment