Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 24 Jul 2013 04:26:41 +0000
From: "Christey, Steven M." <>
To: "" <>
CC: "" <>, "Salvatore
 Bonaccorso" <>, Henri Salo <>
Subject: RE: CVE Request: Django: Account enumeration through
 timing attack in password verification in django.contrib.auth

Donald Stufft said:

>I don't think this really deserves a CVE. All versions of Django prior to
>1.6 (unreleased) have allowed you to determine if a username existed
>or not via the login failure message, negating the need to do any sort
>of timing attack.

The simple existence of a timing issue does not automatically qualify something for a CVE.  We have typically taken the approach that if there's a "policy" of a product in which the information is not regarded as sensitive - such as intended functionality - then this does not cross "privilege boundaries" and would not qualify for a CVE.  For example, if users automatically get public profiles, then the username might not be private.  If Django was intentionally providing this specific login failure details as a convenience to its users, then that forms a "policy" (which still might deserve its own CVE because Django admins might not want that).

This is an interesting case, because the "legitimate functionality" (login error message infoleak) is itself (potentially) an issue.

Is the login failure message hard-coded, or is it dependent on configuration?  If there's a possible configuration that hides the cause of login failure such as a custom message, then the timing attack would still be a valid scenario for enumerating usernames under that otherwise-good configuration, and would get a CVE.

Regardless, there probably needs to be a CVE for the login failure username enumeration before 1.6 (unless there already is one).

There is still a (minor) question about whether a CVE is necessary for the timing discrepancy.  When dealing with closely-related issues, another question is "if issue 1 is fixed, then would that automatically fix issue 2?"  (This is effectively finding chains.)  In this case, a fix for the login failure error message would not fix the timing discrepancy, so they are distinguishable issues, at the least.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.