Is nginx vulnerable to the Hash Table Vulnerability (n.runs AG)? - Justin Hart - ru.sysoev.nginx

9 messages in ru.sysoev.nginxIs nginx vulnerable to the Hash Table...

From	Sent On	Attachments
Justin Hart	Dec 31, 2011 10:37 am
Maxim Dounin	Dec 31, 2011 4:34 pm
agentzh	Dec 31, 2011 9:53 pm
Justin Hart	Dec 31, 2011 9:58 pm
agentzh	Jan 1, 2012 6:20 am
Nginx User	Jan 1, 2012 6:31 am
Sergey A. Osokin	Jan 1, 2012 10:37 am
agentzh	Jan 4, 2012 3:47 am
Nginx User	Jan 4, 2012 12:01 pm

Subject:	Is nginx vulnerable to the Hash Table Vulnerability (n.runs AG)?
From:	Justin Hart (onyx...@gmail.com)
Date:	Dec 31, 2011 10:37:16 am
List:	ru.sysoev.nginx

http://www.securityweek.com/hash-table-collision-attacks-could-trigger-ddos-massive-scale

Without going through the way nginx parses an incoming request, I'm unsure if nginx isn't vulnerable to this, because of the availability to grab the value of a GET parameter via http://wiki.nginx.org/HttpCoreModule#.24arg_PARAMETER. My hope is that especially if an $arg_PARAMETER isn't used in the config, it is not vulnerable because it wouldn't even attempt to parse the parameters, but I can't be sure.

Can anyone speak to this?

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets