Signature Detail
This site is deprecated. Please CLICK HERE for latest updates
Short Name |
HTTP:MICROSOFT-ASPNET-POST-DOS |
|---|---|
Severity |
Major |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
Microsoft ASP.NET Post Request Parameters Handling Denial of Service |
Release Date |
2014/11/18 |
Update Number |
2441 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
HTTP: Microsoft ASP.NET Post Request Parameters Handling Denial of Service
This signature detects attempts to exploit a known issue in Microsoft ASP.NET. Attacker could exploit this issue by sending crafted HTTP requests with high number of parameters without any values.
Extended Description
The CaseInsensitiveHashProvider.getHashCode function in the HashTable implementation in the ASP.NET subsystem in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka "Collisions in HashTable May Cause DoS Vulnerability."
Affected Products
- Microsoft windows_7 -
- Microsoft windows_server_2003 *
- Microsoft windows_server_2008 -
- Microsoft windows_server_2008 *
- Microsoft windows_server_2008 r2
- Microsoft windows_vista -
- Microsoft windows_vista *
- Microsoft windows_xp *
- Microsoft windows_xp sp3
References
- CVE: CVE-2011-3414