Today the Django team is issuing multiple releases -- Django 1.4.8, Django 1.5.4, and Django 1.6 beta 4 -- to remedy a security issue which was disclosed publicly by a third party earlier today. These releases are now available on PyPI and our download page.

These releases address a denial-of-service attack against Django's authentication framework. All users of Django are encouraged to upgrade immediately.

Release outside of normal security process

Normally, our security process involves a one-week lead time for third parties on our security prenotification list. That process, however, relies on responsible disclosure practices which maintain confidentiality of a security issue until a coordinated public release date. To facilitate that, we ask that potential security issues always be reported via email to security@djangoproject.com, rather than through public channels such as Django's ticket tracker or the django-developers mailing list.

This issue, unfortunately, could not be handled by our normal process, as it was first reported publicly on the django-developers mailing list. It has since been confirmed by the Django core team, and due to the already-public nature of the issue and the potential to impact live deployments of Django, we are instead issuing security releases immediately.

Issue: denial-of-service via large passwords

Django's authentication framework -- django.contrib.auth -- includes a default User model and backend which authenticates via username and password. The raw password is not stored in the database; instead, a hashed version of the password is stored, and the hash is computed each time a user attempts to log in. The hasher to use is configurable, via the PASSWORD_HASHERS setting.

The default password hasher in Django is PBKDF2, which has the virtue of allowing the complexity of computing the hash to be effectively arbitrarily high, by repeated "rounds" of application before producing the final result. This increases the difficulty of attacks which use brute-force methods to compute the hashes of many possible plaintext values, in hopes of discovering which plaintext password corresponds to a given hashed value.

Unfortunately, this complexity can also be used as an attack vector. Django does not impose any maximum on the length of the plaintext password, meaning that an attacker can simply submit arbitrarily large -- and guaranteed-to-fail -- passwords, forcing a server running Django to perform the resulting expensive hash computation in an attempt to check the password. A password one megabyte in size, for example, will require roughly one minute of computation to check when using the PBKDF2 hasher.

This allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes.

Although this is most effective against algorithms which are designed to be relatively "slow" to compute, such as PBKDF2 (which, again, is the default hasher in Django's authentication framework), it also is effective against other hashers, as the time to compute the hash generally grows with the size of the password.

To remedy this, Django's authentication framework will now automatically fail authentication for any password exceeding 4096 bytes.

Affected versions

  • Django master development branch
  • Django 1.6 (currently at beta status)
  • Django 1.5
  • Django 1.4

At the time of this writing, efforts are being made to obtain a CVE for this issue. This post will be updated with the CVE once it has been obtained.

Update: this issue was assigned CVE-2013-1443.

Resolution

Patches have been applied to Django's master development branch, and to the 1.6, 1.5 and 1.4 release branches, which resolve the issue described above. The patches may be obtained directly from the following changesets:

The following new releases have been issued:

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. If you think you may have found a security issue but aren't sure, we urge you to err on the side of caution, and report via email rather than public channels. Please see our security policies for further information.

Posted by James Bennett on September 15, 2013

Django remedy a security issue refer dos attack的更多相关文章

  1. Web 服务器 low bandth DOS attack

    https://www.owasp.org/images/0/04/Roberto_Suggi_Liverani_OWASPNZDAY2010-Defending_against_applicatio ...

  2. C++ security issue analyze

    https://sploitfun.wordpress.com/about-2/ “Happiness is only real when shared” – Into the wild http:/ ...

  3. Django : Security in Django

    Security in Django https://docs.djangoproject.com/en/1.10/topics/security/ 1 Cross site scripting (X ...

  4. A Study of WebRTC Security

    转自:http://webrtc-security.github.io/ A Study of WebRTC Security Abstract Web Real-Time Communication ...

  5. Security Checklist (路由器安全checklist)

    Security Checklist Website by     Michael Horowitz  Home | Introduction | Router Bugs | Security Che ...

  6. Django Model field reference

    ===================== Model field reference ===================== .. module:: django.db.models.field ...

  7. Network Security Threats

    Network Security Combination of low-cost powerful computing and high-performance networks is a two-e ...

  8. Awesome Django

     Awesome Django    If you find Awesome Django useful, please consider donating to help maintain it. ...

  9. Even uploading a JPG file can lead to Cross-Site Content Hijacking (client-side attack)!

    Introduction: This post is going to introduce a new technique that has not been covered previously i ...

随机推荐

  1. php开发中处理emoji表情和颜文字的兼容问题

    背景:随着手机的普及,现在移动开发很火爆,已经远远超过了pc端.在移动设备经常会发生用户发送的内容中包含emoji表情,在显示时就是乱码.一般是因为Mysql表设计时,都是用UTF8字符集的.把带有e ...

  2. 前端MVC

    闲来没事,画了个张图,是我理解的MVC

  3. JAVA调用Oracle存储过程和函数

    连接数据库的工具类: import java.sql.Connection; import java.sql.DriverManager; import java.sql.ResultSet; imp ...

  4. CentOS 7, 升级python到3.x

    By francis_hao    Apr 11,2017 使用源码安装方式 首先到官网https://www.python.org/downloads/source/ 下载python最新版本.当前 ...

  5. Visaul Studio 常用快捷键动画演示

    从本篇文章开始,我将会陆续介绍提高 VS 开发效率的文章,欢迎大家补充~ 在进行代码开发的时候,我们往往会频繁的使用键盘.鼠标进行协作,但是切换使用两种工具会影响到我们的开发速度,如果所有的操作都可以 ...

  6. [poj 3693]后缀数组+出现次数最多的重复子串

    题目链接:http://poj.org/problem?id=3693 枚举长度L,看长度为L的子串最多能重复出现几次,首先,能出现1次是肯定的,然后看是否能出现两次及以上.由抽屉原理,这个子串出现次 ...

  7. lhgdialog的传值问题

    一前言 今天就离职了,顺便把还没有记载下来得Js有关知识给记载下来,其实这个是lhgdialog.js中的传值问题.就是弹出框选择数据后加载到父页面上,自己用html做了测试. 二:内容 html代码 ...

  8. HDU1869---(最短路+floyd)

    http://acm.hdu.edu.cn/showproblem.php?pid=1869 思路:最短路+floyd 分析:1 题目是要求所有的数据能否满足“六度分离”,那么我们就想到所有点之间的最 ...

  9. HDU2553 N皇后问题---(dfs)

    http://acm.hdu.edu.cn/showproblem.php?pid=2553 在N*N的方格棋盘放置了N个皇后,使得它们不相互攻击(即任意2个皇后不允许处在同一排,同一列,也不允许处在 ...

  10. [POI2014] KUR-Couriers(洛谷P3567)

    洛谷题目链接:[POI2014]KUR-Couriers 题目描述 Byteasar works for the BAJ company, which sells computer games. Th ...