On the security list, someone posted (1) a short perl program which created a hash with 28 shortish random word keys (i.e. those matching /a-z{2,12}/), and then printed those keys to stdout in unsorted order; (2) a C program, which given as input that list of keys, in 785 CPU seconds was able to completely determine the random hash seed of that perl process.
Okay. Is there any chance of laying my hands on the sources for the C program?
I'd be a whole lot more impressed if the keys were a set of real (or at least realistic) headers, say something like this:
- But even if that could still be done in a similar timeframe -- which I think is highly doubtful -- in order to exploit that knowledge, they would then need to cause the server to generate a set of headers that provoked the pathological behaviour.
How can an external party cause a server to generate a set of headers that are carefully crafted to induce the pathological behaviour that is the apparent root of the perceived problem?
- And, how many web servers would still be running that same perl process, with that same random seed 15 minutes later?
- And how many sites are there that run a single server process with a single persistent Perl process?
- And how many of those emit sufficient, short, and unsorted headers for the determination to be made?
- And how many of those accept sufficient input from remote user, to that same perl process such that the bad guys having determined the seed value, can construct a pathological set of keys of sufficient size to cause harm, and then persuade the process to accept those values from them and build a hash with them?
I'm just not seeing the threat landscape where such a combination of requirements will exist. And even if they did, they would be so few and far between, and on such small websites -- single servers with a single permanent perl process are basically confined to schools, charities and mom*pop stores -- that no hacker is ever going to waste their time trying to find them, much less exploit them.
In any case, my comment about "unnecessary" was little more than a footnote in my suggestion above that the OP could try reverting his 5.24 perl to using the 5.8.9 hashing mechanism to see if that was the source of his performance issue. If it isn't, one more thing to ignore. If it turned out it was, he could decide if his application was even remotely vulnerable to the "security concern" and choose to revert or not as he saw fit.
With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
In the absence of evidence, opinion is indistinguishable from prejudice.
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.