Is nginx vulnerable to the Hash Table Vulnerability (n.runs AG)?
Justin Hart
onyxraven at gmail.com
Sat Dec 31 18:37:39 UTC 2011
http://www.securityweek.com/hash-table-collision-attacks-could-trigger-ddos-massive-scale
Without going through the way nginx parses an incoming request, I'm unsure
if nginx isn't vulnerable to this, because of the availability to grab the
value of a GET parameter via
http://wiki.nginx.org/HttpCoreModule#.24arg_PARAMETER. My hope is that
especially if an $arg_PARAMETER isn't used in the config, it is not
vulnerable because it wouldn't even attempt to parse the parameters, but I
can't be sure.
Can anyone speak to this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20111231/34385027/attachment.html>
More information about the nginx
mailing list