Today the Django team is issuing multiple releases -- Django 1.4.8, Django 1.5.4, and Django 1.6 beta 4 -- to remedy a security issue which was disclosed publicly by a third party earlier today. These releases are now available on PyPI and our download page.

These releases address a denial-of-service attack against Django's authentication framework. All users of Django are encouraged to upgrade immediately.

Release outside of normal security process

Normally, our security process involves a one-week lead time for third parties on our security prenotification list. That process, however, relies on responsible disclosure practices which maintain confidentiality of a security issue until a coordinated public release date. To facilitate that, we ask that potential security issues always be reported via email to security@djangoproject.com, rather than through public channels such as Django's ticket tracker or the django-developers mailing list.

This issue, unfortunately, could not be handled by our normal process, as it was first reported publicly on the django-developers mailing list. It has since been confirmed by the Django core team, and due to the already-public nature of the issue and the potential to impact live deployments of Django, we are instead issuing security releases immediately.

Issue: denial-of-service via large passwords

Django's authentication framework -- django.contrib.auth -- includes a default User model and backend which authenticates via username and password. The raw password is not stored in the database; instead, a hashed version of the password is stored, and the hash is computed each time a user attempts to log in. The hasher to use is configurable, via the PASSWORD_HASHERS setting.

The default password hasher in Django is PBKDF2, which has the virtue of allowing the complexity of computing the hash to be effectively arbitrarily high, by repeated "rounds" of application before producing the final result. This increases the difficulty of attacks which use brute-force methods to compute the hashes of many possible plaintext values, in hopes of discovering which plaintext password corresponds to a given hashed value.

Unfortunately, this complexity can also be used as an attack vector. Django does not impose any maximum on the length of the plaintext password, meaning that an attacker can simply submit arbitrarily large -- and guaranteed-to-fail -- passwords, forcing a server running Django to perform the resulting expensive hash computation in an attempt to check the password. A password one megabyte in size, for example, will require roughly one minute of computation to check when using the PBKDF2 hasher.

This allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes.

Although this is most effective against algorithms which are designed to be relatively "slow" to compute, such as PBKDF2 (which, again, is the default hasher in Django's authentication framework), it also is effective against other hashers, as the time to compute the hash generally grows with the size of the password.

To remedy this, Django's authentication framework will now automatically fail authentication for any password exceeding 4096 bytes.

Affected versions

  • Django master development branch
  • Django 1.6 (currently at beta status)
  • Django 1.5
  • Django 1.4

At the time of this writing, efforts are being made to obtain a CVE for this issue. This post will be updated with the CVE once it has been obtained.

Update: this issue was assigned CVE-2013-1443.

Resolution

Patches have been applied to Django's master development branch, and to the 1.6, 1.5 and 1.4 release branches, which resolve the issue described above. The patches may be obtained directly from the following changesets:

The following new releases have been issued:

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. If you think you may have found a security issue but aren't sure, we urge you to err on the side of caution, and report via email rather than public channels. Please see our security policies for further information.

Posted by James Bennett on September 15, 2013

Django remedy a security issue refer dos attack的更多相关文章

  1. Web 服务器 low bandth DOS attack

    https://www.owasp.org/images/0/04/Roberto_Suggi_Liverani_OWASPNZDAY2010-Defending_against_applicatio ...

  2. C++ security issue analyze

    https://sploitfun.wordpress.com/about-2/ “Happiness is only real when shared” – Into the wild http:/ ...

  3. Django : Security in Django

    Security in Django https://docs.djangoproject.com/en/1.10/topics/security/ 1 Cross site scripting (X ...

  4. A Study of WebRTC Security

    转自:http://webrtc-security.github.io/ A Study of WebRTC Security Abstract Web Real-Time Communication ...

  5. Security Checklist (路由器安全checklist)

    Security Checklist Website by     Michael Horowitz  Home | Introduction | Router Bugs | Security Che ...

  6. Django Model field reference

    ===================== Model field reference ===================== .. module:: django.db.models.field ...

  7. Network Security Threats

    Network Security Combination of low-cost powerful computing and high-performance networks is a two-e ...

  8. Awesome Django

     Awesome Django    If you find Awesome Django useful, please consider donating to help maintain it. ...

  9. Even uploading a JPG file can lead to Cross-Site Content Hijacking (client-side attack)!

    Introduction: This post is going to introduce a new technique that has not been covered previously i ...

随机推荐

  1. springboot 学习笔记(二)--- properties 配置

    springboot可以提供了多种方式配置properties. 一.Java System.setProperty(k, v) System.setProperty("myname&quo ...

  2. BZOJ4321 queue2(动态规划)

    考虑套路地将1~n依次加入排列.设f[i][j]为已将1~i加入排列,有j对不合法的方案数.加入i+1时可能减少一对不合法的,可能不变,可能增加一对,对于i+1与i的关系再增设0/1/2状态表示i与左 ...

  3. POJ 3693 Maximum repetition substring(最多重复次数的子串)

    Maximum repetition substring Time Limit: 1000MS   Memory Limit: 65536K Total Submissions: 10461   Ac ...

  4. [USACO08MAR]土地征用Land Acquisition

    题面在这里 题意 约翰准备扩大他的农场,眼前他正在考虑购买N块长方形的土地. 如果约翰单买一块土地,价格就是土地的面积,但他可以选择并购一组土地, 并购的价格为这些土地中最大的长乘以最大的宽. 给定每 ...

  5. [bzoj1056] [HAOI2008]排名系统

    Description 排名系统通常要应付三种请求:上传一条新的得分记录.查询某个玩家的当前排名以及返回某个区段内的排名记录.当某个玩家上传自己最新的得分记录时,他原有的得分记录会被删除.为了减轻服务 ...

  6. HZOI String STL的正确用法

                                                                      String          3s 512 MB描述硬盘中里面有n ...

  7. 非阻塞式JavaScript脚本及延伸知识

    JavaScript 倾向于阻塞浏览器某些处理过程,如HTTP 请求和界面刷新,这是开发者面临的最显著的性能问题.保持JavaScript文件短小,并限制HTTP请求的数量,只是创建反应迅速的网页应用 ...

  8. Win7命令mklink的使用

    C盘空间越来越小,在Win7里还标红了,心里看得不舒服,得想一些方法腾出一些空间.看了AppData,Chrome占了1G多的空间. 当时安装Chrome浏览器时因为不能指定安装目录,所以Chrome ...

  9. 如何配置开源中国Maven库以加快依赖包下载速度

    有时有某些地方由于网络问题,访问maven主仓库比较慢,甚至有可能无法下载某些jar包,此时可以把开源中国Maven库配置到settings.xml文件中,加快依赖包的下载速度. 具体如何配置? 在m ...

  10. Educational Codeforces Round 54 (Rated for Div. 2) ABCD

    A. Minimizing the String time limit per test 1 second memory limit per test 256 megabytes Descriptio ...