On Wednesday, December 28, 2011 at 8:37 PM, Jesse Noller wrote:

>  
>  
> On Wednesday, December 28, 2011 at 8:28 PM, Michael Foord wrote:
>  
> > Hello all,
> >  
> > A paper (well, presentation) has been published highlighting security 
> > problems with the hashing algorithm (exploiting collisions) in many 
> > programming languages Python included:
> >  
> > http://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf
> >  
> > Although it's a security issue I'm posting it here because it is now public 
> > and seems important.
> >  
> > The issue they report can cause (for example) handling an http post to 
> > consume horrible amounts of cpu. For Python the figures they quoted:
> >  
> > reasonable-sized attack strings only for 32 bits Plone has max. POST size 
> > of 1 MB
> > 7 minutes of CPU usage for a 1 MB request
> > ~20 kbits/s → keep one Core Duo core busy
> >  
> > This was apparently reported to the security list, but hasn't been 
> > responded to beyond an acknowledgement on November 24th (the original 
> > report didn't make it onto the security list because it was held in a 
> > moderation queue).  
> >  
> > The same vulnerability was reported against various languages and web 
> > frameworks, and is already fixed in some of them.
> >  
> > Their recommended fix is to randomize the hash function.
> >  
> > All the best,
> >  
> > Michael
>  
> Back up link for the PDF:
> http://dl.dropbox.com/u/1374/2007_28C3_Effective_DoS_on_web_application_platforms.pdf
>  
> Ocert disclosure:
> http://www.ocert.org/advisories/ocert-2011-003.html

And more analysis/information:

http://cryptanalysis.eu/blog/2011/12/28/effective-dos-attacks-against-web-application-plattforms-hashdos/
  


_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Reply via email to