GSR-IconBannerAd_v1d

Security Advisories

Trustwave Press Releases

« [Honeypot Alert] Multiple Local File Inclusion Attacks | Main | Microsoft Patch Tuesday (January 2012): Media Player and The BEAST »

09 January 2012

Comments

In nginx, you can set this in your http{} section.

client_max_body_size 64k

Good job! I'm not sure though that repetitive payloads are required for the attack to work (Maybe it is like this for the ASP.NET implementation, but for PHP only POST names should trigger collisions, values can be anything - though I agree I didn't check it)

The hash_dos_param_name.txt could also include collisions for PHP. I've prepared a PoC at http://koto.github.com/blog-kotowicz-net-examples/hashcollision/kill.html

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment