Today the Django team is issuing multiple releases -- Django 1.4.8, Django 1.5.4, and Django 1.6 beta 4 -- to remedy a security issue which was disclosed publicly by a third party earlier today. These releases are now available on PyPI and our download page.

These releases address a denial-of-service attack against Django's authentication framework. All users of Django are encouraged to upgrade immediately.

Release outside of normal security process

Normally, our security process involves a one-week lead time for third parties on our security prenotification list. That process, however, relies on responsible disclosure practices which maintain confidentiality of a security issue until a coordinated public release date. To facilitate that, we ask that potential security issues always be reported via email to security@djangoproject.com, rather than through public channels such as Django's ticket tracker or the django-developers mailing list.

This issue, unfortunately, could not be handled by our normal process, as it was first reported publicly on the django-developers mailing list. It has since been confirmed by the Django core team, and due to the already-public nature of the issue and the potential to impact live deployments of Django, we are instead issuing security releases immediately.

Issue: denial-of-service via large passwords

Django's authentication framework -- django.contrib.auth -- includes a default User model and backend which authenticates via username and password. The raw password is not stored in the database; instead, a hashed version of the password is stored, and the hash is computed each time a user attempts to log in. The hasher to use is configurable, via the PASSWORD_HASHERS setting.

The default password hasher in Django is PBKDF2, which has the virtue of allowing the complexity of computing the hash to be effectively arbitrarily high, by repeated "rounds" of application before producing the final result. This increases the difficulty of attacks which use brute-force methods to compute the hashes of many possible plaintext values, in hopes of discovering which plaintext password corresponds to a given hashed value.

Unfortunately, this complexity can also be used as an attack vector. Django does not impose any maximum on the length of the plaintext password, meaning that an attacker can simply submit arbitrarily large -- and guaranteed-to-fail -- passwords, forcing a server running Django to perform the resulting expensive hash computation in an attempt to check the password. A password one megabyte in size, for example, will require roughly one minute of computation to check when using the PBKDF2 hasher.

This allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes.

Although this is most effective against algorithms which are designed to be relatively "slow" to compute, such as PBKDF2 (which, again, is the default hasher in Django's authentication framework), it also is effective against other hashers, as the time to compute the hash generally grows with the size of the password.

To remedy this, Django's authentication framework will now automatically fail authentication for any password exceeding 4096 bytes.

Affected versions

  • Django master development branch
  • Django 1.6 (currently at beta status)
  • Django 1.5
  • Django 1.4

At the time of this writing, efforts are being made to obtain a CVE for this issue. This post will be updated with the CVE once it has been obtained.

Update: this issue was assigned CVE-2013-1443.

Resolution

Patches have been applied to Django's master development branch, and to the 1.6, 1.5 and 1.4 release branches, which resolve the issue described above. The patches may be obtained directly from the following changesets:

The following new releases have been issued:

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. If you think you may have found a security issue but aren't sure, we urge you to err on the side of caution, and report via email rather than public channels. Please see our security policies for further information.

Posted by James Bennett on September 15, 2013

Django remedy a security issue refer dos attack的更多相关文章

  1. Web 服务器 low bandth DOS attack

    https://www.owasp.org/images/0/04/Roberto_Suggi_Liverani_OWASPNZDAY2010-Defending_against_applicatio ...

  2. C++ security issue analyze

    https://sploitfun.wordpress.com/about-2/ “Happiness is only real when shared” – Into the wild http:/ ...

  3. Django : Security in Django

    Security in Django https://docs.djangoproject.com/en/1.10/topics/security/ 1 Cross site scripting (X ...

  4. A Study of WebRTC Security

    转自:http://webrtc-security.github.io/ A Study of WebRTC Security Abstract Web Real-Time Communication ...

  5. Security Checklist (路由器安全checklist)

    Security Checklist Website by     Michael Horowitz  Home | Introduction | Router Bugs | Security Che ...

  6. Django Model field reference

    ===================== Model field reference ===================== .. module:: django.db.models.field ...

  7. Network Security Threats

    Network Security Combination of low-cost powerful computing and high-performance networks is a two-e ...

  8. Awesome Django

     Awesome Django    If you find Awesome Django useful, please consider donating to help maintain it. ...

  9. Even uploading a JPG file can lead to Cross-Site Content Hijacking (client-side attack)!

    Introduction: This post is going to introduce a new technique that has not been covered previously i ...

随机推荐

  1. Bjarne Stroustrup 语录1

    1. 请谈谈C++书.  没有,也不可能有一本书对于所有人来说都是最好的.不过对于那些真正的程序员来说,如果他喜欢从“经典风格”的书中间学习一些新的概念和技术,我推荐我的The C++ Program ...

  2. Google Play sign sha1 转 Facebook login 需要的 hashkey

    :4E:::::3A:1F::A6:0F:F6:A1:C2::E5::::2E | xxd -r -p | openssl base64 输出 M05IhBlQOh9jpg/2ocIx5QE4VS4= ...

  3. DDD-领域驱动设计

    识别领域事件 DDD战术篇:领域模型的应用 DDD战略篇:架构设计的响应力 DDD实战篇:分层架构的代码结构

  4. MySQL密码忘了怎么办

    之前在ubuntu 12.04里安装了xampp,设置了mysql数据库root密码,今天需要增加个数据库,发现忘记之前设置的密码是什么了.经过一番摸爬滚打,终于搞明白了,注意以下的操作都是以linu ...

  5. 【bzoj3940】[Usaco2015 Feb]Censoring AC自动机

    题目描述 Farmer John has purchased a subscription to Good Hooveskeeping magazine for his cows, so they h ...

  6. VB托盘图标不响应WM_MOUSEMOVE的原因及解决方法

    文章参考地址:http://blog.csdn.net/txh0001/article/details/38265895:http://bbs.csdn.net/topics/330106030 网上 ...

  7. C&C++——基本说明

    预处理器(Preprocessor) 1 . 用预处理指令#define 声明一个常数,用以表明1年中有多少秒(忽略闰年问题) #define SECONDS_PER_YEAR (60 * 60 * ...

  8. Cube 找规律

    这道题我们经过简单的推测便可得知3个之前特判,四个之后就成为了一般状况,就是我们每侧都是走整个整个的|_|之后零的走|||. 考试的时候包括平时做题,许多正确的感性比理性证明要强得多. #includ ...

  9. bzoj1914 [Usaco2010 OPen]Triangle Counting 数三角形 计算机和

    [Usaco2010 OPen]Triangle Counting 数三角形 Time Limit: 10 Sec  Memory Limit: 64 MBSubmit: 526  Solved: 2 ...

  10. 栈与递归的实现(Hanoi塔问题等等)

    函数中有直接或间接地调用自身函数的语句,这样的函数称为递归函数.递归函数用 得好,可简化编程工作.但函数自己调用自己,有可能造成死循环.为了避免死循环,要 做到两点: (1) 降阶.递归函数虽然调用自 ...