[Bug 1225784] [NEW] CVE-2013-1443 denial-of-service via large passwords
Chris Johnston
chris.johnston at canonical.com
Sun Sep 15 21:01:06 UTC 2013
*** This bug is a security vulnerability ***
Public security bug reported:
https://www.djangoproject.com/weblog/2013/sep/15/security/
"Django does not impose any maximum on the length of the plaintext
password, meaning that an attacker can simply submit arbitrarily large
-- and guaranteed-to-fail -- passwords, forcing a server running Django
to perform the resulting expensive hash computation in an attempt to
check the password. A password one megabyte in size, for example, will
require roughly one minute of computation to check when using the PBKDF2
hasher.
This allows for denial-of-service attacks through repeated submission of
large passwords, tying up server resources in the expensive computation
of the corresponding hashes."
** Affects: python-django (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to python-django in Ubuntu.
https://bugs.launchpad.net/bugs/1225784
Title:
CVE-2013-1443 denial-of-service via large passwords
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1225784/+subscriptions
More information about the Ubuntu-server-bugs
mailing list