Just to give you an idea with 80,000 post params that caused a hash collision it took my quad core desktop 31 minutes to respond to the request, sending a larger number of post params 120,000 that did not have a collision executed in 3 seconds. So what is safe really depends on your tolerance and CPU processing power.
With 1000 colliding params you can probably cause a few seconds of processing time on the server. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Thu, Apr 4, 2013 at 4:57 PM, Chris <0404tow...@gmail.com> wrote: > > How many is too many post parameters? > > > We've had a few applications fail with the new postParametersLimit in CHF4 > (the included Security Hotfix APSB12-06, > http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html ) > > Even increasing postParametersLimit from 100 to 200 isn't enough -- one > application uses 1006 post parameters ( !! ) > > > So given that this is a denial of service attack prevention, how risky is > it letting 1100 post parameters go through with every request? I'm figuring > a real DoS attack would have a lot more than 1100 parameters, but setting > post parameters for 11 times the security update value sounds like poor > practice. > > thank you, > Chris > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355285 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
