Hash Algorithm Collision Fix using an Apache Module2012-02-04
The module can be used by sites who use an Apache reverse proxy in front of their Java (Tomcat, JBoss, ...) or PHP sites.
The module parses the HTTP GET or POST parameters, calculates their hashes for the backend platform en checks if the hash collisions or number of parameters don't exceed a configured maximum. It one of these settings are exceeded the HTTP request is discarded and never sent to the backend system.
The module uses the GNU autotools installation method, you just have to tell it where your Apache server is installed. Your Apache server needs to support DSO modules.
./configure --with-apache=/path/to/apache/install make make install
The install action will place libmodhacf.so in the Apache server's modules directory and add a LoadModule directive in httpd.conf. You should see a line similar to the following in your httpd.conf:
LoadModule hacf_module modules/libmodhacf.so
If you already use an Apache reverse proxy, just add the correct HacfLanguage directive to the relevant section of your httpd.conf.
The configuration for a Java site with URL http://server.example.com/app would be:
<location app="/app"> HacfLanguage Java ProxyPass http://server.example.com/app ProxyPassReverse http://server.example.com/app </location>
For a PHP5 site, use PHP as the value of the HacfLanguage setting.
The request filtering can be tuned using the parameters:
- HacfMaxCollisions, maximum number of allowed collisions before a request is dropped (default 3)
- HacfMaxParameters, maximum number of allowed parameters before a request is dropped (default 256)
The default settings for these parameters can seem aggressive but the should be fine for most applications.
What's next ?
The code in GitHub has a pretty limited feature set because I set out to protect a specific customer's site, but there is a Version 1.0.0 Milestone release planned with support for APR 1 (Apache 2.2), PHP4 sites and Python (Plone and mod_python) sites.