On Wednesday, December 28, 2011 at 8:37 PM, Jesse Noller wrote:
> > > On Wednesday, December 28, 2011 at 8:28 PM, Michael Foord wrote: > > > Hello all, > > > > A paper (well, presentation) has been published highlighting security > > problems with the hashing algorithm (exploiting collisions) in many > > programming languages Python included: > > > > http://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf > > > > Although it's a security issue I'm posting it here because it is now public > > and seems important. > > > > The issue they report can cause (for example) handling an http post to > > consume horrible amounts of cpu. For Python the figures they quoted: > > > > reasonable-sized attack strings only for 32 bits Plone has max. POST size > > of 1 MB > > 7 minutes of CPU usage for a 1 MB request > > ~20 kbits/s → keep one Core Duo core busy > > > > This was apparently reported to the security list, but hasn't been > > responded to beyond an acknowledgement on November 24th (the original > > report didn't make it onto the security list because it was held in a > > moderation queue). > > > > The same vulnerability was reported against various languages and web > > frameworks, and is already fixed in some of them. > > > > Their recommended fix is to randomize the hash function. > > > > All the best, > > > > Michael > > Back up link for the PDF: > http://dl.dropbox.com/u/1374/2007_28C3_Effective_DoS_on_web_application_platforms.pdf > > Ocert disclosure: > http://www.ocert.org/advisories/ocert-2011-003.html And more analysis/information: http://cryptanalysis.eu/blog/2011/12/28/effective-dos-attacks-against-web-application-plattforms-hashdos/ _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com