Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Jul 2013 17:04:44 +0200
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Subject: CVE Request: Django: Account enumeration through timing attack in
 password verification in django.contrib.auth



>From [1] in Django accounts can be enumerated trough timing attacks:

> When attempting to authenticate using django.contrib.auth, if a user does not
> exist the authenticate() function returns None nearly instantaneously, while
> when a user exists it takes much longer as the attempted password gets hashed
> and compared with the stored password. This allows for an attacker to infer
> whether or not a given account exists based upon the response time of an
> authentication attempt.  This can be seen much more clearly when the number of
> rounds on the password hasher is set to something high like 100000.


A proposed patch is at [2] but not yet a commit in upstream git repository.


Does this needs a CVE asignment?


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ