Today the Django team is issuing multiple releases -- Django 1.4.8, Django 1.5.4, and Django 1.6 beta 4 -- to remedy a security issue which was disclosed publicly by a third party earlier today. These releases are now available on PyPI and our download page.

These releases address a denial-of-service attack against Django's authentication framework. All users of Django are encouraged to upgrade immediately.

Release outside of normal security process

Normally, our security process involves a one-week lead time for third parties on our security prenotification list. That process, however, relies on responsible disclosure practices which maintain confidentiality of a security issue until a coordinated public release date. To facilitate that, we ask that potential security issues always be reported via email to security@djangoproject.com, rather than through public channels such as Django's ticket tracker or the django-developers mailing list.

This issue, unfortunately, could not be handled by our normal process, as it was first reported publicly on the django-developers mailing list. It has since been confirmed by the Django core team, and due to the already-public nature of the issue and the potential to impact live deployments of Django, we are instead issuing security releases immediately.

Issue: denial-of-service via large passwords

Django's authentication framework -- django.contrib.auth -- includes a default User model and backend which authenticates via username and password. The raw password is not stored in the database; instead, a hashed version of the password is stored, and the hash is computed each time a user attempts to log in. The hasher to use is configurable, via the PASSWORD_HASHERS setting.

The default password hasher in Django is PBKDF2, which has the virtue of allowing the complexity of computing the hash to be effectively arbitrarily high, by repeated "rounds" of application before producing the final result. This increases the difficulty of attacks which use brute-force methods to compute the hashes of many possible plaintext values, in hopes of discovering which plaintext password corresponds to a given hashed value.

Unfortunately, this complexity can also be used as an attack vector. Django does not impose any maximum on the length of the plaintext password, meaning that an attacker can simply submit arbitrarily large -- and guaranteed-to-fail -- passwords, forcing a server running Django to perform the resulting expensive hash computation in an attempt to check the password. A password one megabyte in size, for example, will require roughly one minute of computation to check when using the PBKDF2 hasher.

This allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes.

Although this is most effective against algorithms which are designed to be relatively "slow" to compute, such as PBKDF2 (which, again, is the default hasher in Django's authentication framework), it also is effective against other hashers, as the time to compute the hash generally grows with the size of the password.

To remedy this, Django's authentication framework will now automatically fail authentication for any password exceeding 4096 bytes.

Affected versions

  • Django master development branch
  • Django 1.6 (currently at beta status)
  • Django 1.5
  • Django 1.4

At the time of this writing, efforts are being made to obtain a CVE for this issue. This post will be updated with the CVE once it has been obtained.

Update: this issue was assigned CVE-2013-1443.

Resolution

Patches have been applied to Django's master development branch, and to the 1.6, 1.5 and 1.4 release branches, which resolve the issue described above. The patches may be obtained directly from the following changesets:

The following new releases have been issued:

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. If you think you may have found a security issue but aren't sure, we urge you to err on the side of caution, and report via email rather than public channels. Please see our security policies for further information.

Posted by James Bennett on September 15, 2013

Django remedy a security issue refer dos attack的更多相关文章

  1. Web 服务器 low bandth DOS attack

    https://www.owasp.org/images/0/04/Roberto_Suggi_Liverani_OWASPNZDAY2010-Defending_against_applicatio ...

  2. C++ security issue analyze

    https://sploitfun.wordpress.com/about-2/ “Happiness is only real when shared” – Into the wild http:/ ...

  3. Django : Security in Django

    Security in Django https://docs.djangoproject.com/en/1.10/topics/security/ 1 Cross site scripting (X ...

  4. A Study of WebRTC Security

    转自:http://webrtc-security.github.io/ A Study of WebRTC Security Abstract Web Real-Time Communication ...

  5. Security Checklist (路由器安全checklist)

    Security Checklist Website by     Michael Horowitz  Home | Introduction | Router Bugs | Security Che ...

  6. Django Model field reference

    ===================== Model field reference ===================== .. module:: django.db.models.field ...

  7. Network Security Threats

    Network Security Combination of low-cost powerful computing and high-performance networks is a two-e ...

  8. Awesome Django

     Awesome Django    If you find Awesome Django useful, please consider donating to help maintain it. ...

  9. Even uploading a JPG file can lead to Cross-Site Content Hijacking (client-side attack)!

    Introduction: This post is going to introduce a new technique that has not been covered previously i ...

随机推荐

  1. PowerDesigner工具箱(palette)关了如何重新打开

    PowerDesigner的设计工具箱palette,palette的实际意思:颜料.调色板 工具箱关闭了 重新打开的方法其实很简单的,贴几张图片上来,帮助一下大家 方法一: 在工具栏的空白处点击鼠标 ...

  2. ACM International Collegiate Programming Contest, Egyptian Collegiate Programming Contest (ECPC 2015)

    A.Arcade Game(康拓展开) 题意: 给出一个每个数位都不同的数n,进行一场游戏.每次游戏将n个数的每个数位重组.如果重组后的数比原来的数大则继续游戏,否则算输.如果重组后的数是最大的数则算 ...

  3. BZOJ 1023: [SHOI2008]cactus仙人掌图 | 在仙人掌上跑DP

    题目: 求仙人掌直径 http://www.lydsy.com/JudgeOnline/problem.php?id=1023 题解: 首先给出仙人掌的定义:满足所有的边至多在一个环上的无向联通图 我 ...

  4. Visual Studio调试之符号文件

    原文链接地址:http://www.cnblogs.com/killmyday/archive/2009/10/14/1582882.html 前面在不能设置断点的检查步骤和Visual Studio ...

  5. BZOJ2257 [Jsoi2009]瓶子和燃料 【裴蜀定理】

    题目链接 BZOJ2257 题解 由裴蜀定理我们知道,若干的瓶子如此倾倒最小能凑出的是其\(gcd\) 现在我们需要求出\(n\)个瓶子中选出\(K\)个使\(gcd\)最大 每个数求出因数排序即可 ...

  6. 停课day1

    一早上只做了一个calculator 还是参照题解,好惭愧 f[1]=0; flag[1]=true;    for (int i=2,N=num[n];i<p;i++) {        fo ...

  7. Nginx support TCP Load balance

    1. Install nginx package 2. edit nginx configuration file [root@ip- nginx]# more nginx.conf user ngi ...

  8. 【数据结构】bzoj1636/bzoj1699排队

    Description 每天,农夫 John 的N(1 <= N <= 50,000)头牛总是按同一序列排队. 有一天, John 决定让一些牛们玩一场飞盘比赛. 他准备找一群在对列中为置 ...

  9. Spring - IoC(12): 属性占位符

    使用属性占位符可以将 Spring 配置文件中的部分元数据放在属性文件中设置,这样可以将相似的配置(如 JDBC 的参数配置)放在特定的属性文件中,如果只需要修改这部分配置,则无需修改 Spring ...

  10. bzoj 1706: [usaco2007 Nov]relays 奶牛接力跑——倍增floyd

    Description FJ的N(2 <= N <= 1,000,000)头奶牛选择了接力跑作为她们的日常锻炼项目.至于进行接力跑的地点 自然是在牧场中现有的T(2 <= T < ...