BID:52436

Adobe ColdFusion Hash Collision Denial Of Service Vulnerability

Info

Adobe ColdFusion Hash Collision Denial Of Service Vulnerability

Bugtraq ID:	52436
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2012-0770
Remote:	Yes
Local:	No
Published:	Mar 13 2012 12:00AM
Updated:	Mar 13 2012 12:00AM
Credit:	Adobe
Vulnerable:	Adobe ColdFusion 8.0.1 Adobe ColdFusion 9.0.1 Adobe ColdFusion 9.0.1 Adobe ColdFusion 9.0 Adobe ColdFusion 8.0

Not Vulnerable:

Discussion

Adobe ColdFusion Hash Collision Denial Of Service Vulnerability

ColdFusion is prone to a denial-of-service vulnerability.

An attacker can exploit this issue by sending specially crafted forms in HTTP POST requests.

Successful exploits will allow attackers to cause a denial-of-service condition.

Exploit / POC

Adobe ColdFusion Hash Collision Denial Of Service Vulnerability

An attacker can use readily available tools to exploit this issue.

Solution / Fix

Adobe ColdFusion Hash Collision Denial Of Service Vulnerability

Solution:
Vendor updates are available. Please see the references for more information.

References

Adobe ColdFusion Hash Collision Denial Of Service Vulnerability

References:

Adobe ColdFusion Homepage (Adobe)
APSB12-06 Security update: Hotfix available for ColdFusion (Adobe)
Denial of Service through hash table multi-collisions (n.runs AG)
Hash table implementations vulnerable to algorithmic complexity attacks (Alexander Klink)
multiple implementations denial-of-service via hash algorithm collision (Alexander Klink)