Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Hash collisions vulnerability in web servers - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Hash collisions vulnerability in web servers

A new vulnerability advisory by security firm n-runs [1] describes how hash tables in PHP5,Java,ASP.NET and others can be attacked with deliberate collisions in the hash function, leading to a denial of service (DoS) on the web server in question. Microsoft have already responded with an advisory [2] of their own, other vendors are likely to follow.



385 Posts
ISC Handler
Dec 28th 2011
Does anyone know if the out of band patch just announced: is for this issue. As it is priv esc it appears to be different but I could be (and hoping) I am wrong.

14 Posts
According to the Twitter entry the out-of-band update will be for the issue described in the article above.
Yes, the out of band patch will be for this issue.

See "Advanced Notification for out-of-band release to address Security Advisory 2659883" ( and "Microsoft releases Security Advisory 2659883, offers workaround for industry-wide issue" ( for more information.
I'm confused. A security bulletin with Elevation of Privilege impact adressing a security advisory with Denial of Service impact? Could the hash collisions cause other security issues for .NET applications than just DoS in ASP.NET?

3 Posts
@ Jonas


160 Posts
OOB webcast today at 13:00 PT, register at

MS11-100 is now live at

Microsoft planned ahead with 3 digit bulletin numbers, I hope we never get to 999 in a single year :)
12 Posts
Any idea on how MS is addressing the Hash collision via patch? Isnt the only way to prevent this by limiting the amount of POST data you can send to a website.
Nick, most probably they have changed the internal hash table implementation to add randomization of the hashing function and reduce "collisions", as Perl and Ruby 1.9 previously did.

The patch is required because some web applications might require to manage big amounts of data in POST requests, or at least, big enough to make the attack feasible.
Raul Siles

152 Posts

Sign Up for Free or Log In to start participating in the conversation!