Date: Mon, 22 Jul 2013 17:04:44 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Cc: security@...ngoproject.com Subject: CVE Request: Django: Account enumeration through timing attack in password verification in django.contrib.auth Hi Cc'ing security@...ngoproject.com >From  in Django accounts can be enumerated trough timing attacks: > When attempting to authenticate using django.contrib.auth, if a user does not > exist the authenticate() function returns None nearly instantaneously, while > when a user exists it takes much longer as the attempted password gets hashed > and compared with the stored password. This allows for an attacker to infer > whether or not a given account exists based upon the response time of an > authentication attempt. This can be seen much more clearly when the number of > rounds on the password hasher is set to something high like 100000.  https://code.djangoproject.com/ticket/20760 A proposed patch is at  but not yet a commit in upstream git repository.  https://code.djangoproject.com/attachment/ticket/20760/20760_fix_hash_once.diff Does this needs a CVE asignment? Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ