Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Jul 2013 17:04:44 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: security@...ngoproject.com
Subject: CVE Request: Django: Account enumeration through timing attack in
 password verification in django.contrib.auth

Hi

Cc'ing security@...ngoproject.com

>From [1] in Django accounts can be enumerated trough timing attacks:

> When attempting to authenticate using django.contrib.auth, if a user does not
> exist the authenticate() function returns None nearly instantaneously, while
> when a user exists it takes much longer as the attempted password gets hashed
> and compared with the stored password. This allows for an attacker to infer
> whether or not a given account exists based upon the response time of an
> authentication attempt.  This can be seen much more clearly when the number of
> rounds on the password hasher is set to something high like 100000.

 [1] https://code.djangoproject.com/ticket/20760

A proposed patch is at [2] but not yet a commit in upstream git repository.

 [2] https://code.djangoproject.com/attachment/ticket/20760/20760_fix_hash_once.diff

Does this needs a CVE asignment?

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ