subject:"DoS using POST via hash algorithm collision"

RE: DoS using POST via hash algorithm collision

2012-01-20 Thread Kääriäinen Anssi

Paul McMillan had a very good posting about this on the Python issue tracker. 
The problem is that whenever you put user supplied data into a hashmap, you are 
vulnerable to this attack. This basically includes most Python modules, and I 
would guess a lot of user code, too. So, if you fix JSON and POST, you still 
have about 99% (likely would actually round to 100%) of attack surface left.

I found these links very informative about this matter: 
http://lwn.net/Articles/474912/ and http://bugs.python.org/issue13703#msg150840 
(the McMillan's post mentioned above).

 - Anssi

From: django-developers@googlegroups.com [django-developers@googlegroups.com] 
On Behalf Of Luke Plant [l.plant...@cantab.net]
Sent: Friday, January 20, 2012 15:46
To: django-developers@googlegroups.com
Subject: Re: DoS using POST via hash algorithm collision

On 20/01/12 08:47, Aymeric Augustin wrote:
> 2012/1/20 Łukasz Rekucki <lreku...@gmail.com <mailto:lreku...@gmail.com>>
>
> We all know browsers won't crash and they will render the page exactly
> the same. I volunteer to fix any issues in the test suite (considering
> the hash changes also between 32-bit/64-bit Python, i'm not sure there
> are even any or we would get a report on that, wouldn't we ?).
>
> I think it's important for the Django core team to voice their opinion
> on this matter in python-dev.
>
> Hello Łukasz,
>
> I absolutely agree -- code that relies on a deterministic dictionary
> order is broken and should be fixed.

I agree with this completely, and Carl's post:

http://mail.python.org/pipermail/python-dev/2012-January/115700.html

Whether this should be fixed in Python or not is a different question.

Most of the web specific problems can be fixed relatively easily with
HTTP specific solutions and limits. We can easily change how we handle
POST and GET data to a protected solution (by length limitation or a
custom datastructure), and we can protect cookie parsing using simple
length limits (and continue using stdlib SimpleCookie).

However, JSON parsing, which is a common task for web sites, is much
harder to fix, because almost by definition you've got to return
dictionaries with arbitrary keys and arbitrary size, and because as a
framework we don't control how developers do JSON parsing.

Luke

--
"Cross country skiing is great if you live in a small country."
(Steven Wright)

Luke Plant || http://lukeplant.me.uk/

--
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: DoS using POST via hash algorithm collision

2012-01-20 Thread Luke Plant

On 20/01/12 08:47, Aymeric Augustin wrote:
> 2012/1/20 Łukasz Rekucki >
> 
> We all know browsers won't crash and they will render the page exactly
> the same. I volunteer to fix any issues in the test suite (considering
> the hash changes also between 32-bit/64-bit Python, i'm not sure there
> are even any or we would get a report on that, wouldn't we ?).
> 
> I think it's important for the Django core team to voice their opinion
> on this matter in python-dev.
> 
> Hello Łukasz,
> 
> I absolutely agree -- code that relies on a deterministic dictionary
> order is broken and should be fixed.

I agree with this completely, and Carl's post:

http://mail.python.org/pipermail/python-dev/2012-January/115700.html

Whether this should be fixed in Python or not is a different question.

Most of the web specific problems can be fixed relatively easily with
HTTP specific solutions and limits. We can easily change how we handle
POST and GET data to a protected solution (by length limitation or a
custom datastructure), and we can protect cookie parsing using simple
length limits (and continue using stdlib SimpleCookie).

However, JSON parsing, which is a common task for web sites, is much
harder to fix, because almost by definition you've got to return
dictionaries with arbitrary keys and arbitrary size, and because as a
framework we don't control how developers do JSON parsing.

Luke

-- 
"Cross country skiing is great if you live in a small country."
(Steven Wright)

Luke Plant || http://lukeplant.me.uk/

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: DoS using POST via hash algorithm collision

2012-01-20 Thread Aymeric Augustin

2012/1/20 Łukasz Rekucki 

> We all know browsers won't crash and they will render the page exactly
> the same. I volunteer to fix any issues in the test suite (considering
> the hash changes also between 32-bit/64-bit Python, i'm not sure there
> are even any or we would get a report on that, wouldn't we ?).
>
> I think it's important for the Django core team to voice their opinion
> on this matter in python-dev.
>

Hello Łukasz,

I absolutely agree — code that relies on a deterministic dictionary order
is broken and should be fixed.

Best regards,


-- 
Aymeric.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: DoS using POST via hash algorithm collision

2012-01-19 Thread Łukasz Rekucki

Dear django-developers,

It seems that Django has now become the argument for NOT fixing this
issue properly. Citing python-dev:

> For example, in the Django test
> suite, the HTML output is different at each run. Web browsers may
> render the web page differently, or crash, or ... I don't think that
> Django would like to sort attributes of each HTML tag, just because we
> wanted to fix a vulnerability.

We all know browsers won't crash and they will render the page exactly
the same. I volunteer to fix any issues in the test suite (considering
the hash changes also between 32-bit/64-bit Python, i'm not sure there
are even any or we would get a report on that, wouldn't we ?).

I think it's important for the Django core team to voice their opinion
on this matter in python-dev.


Thank you!,

Łukasz Rekucki

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: DoS using POST via hash algorithm collision

2012-01-02 Thread Cal Leeming [Simplicity Media Ltd]

Hi Luciano,

Curious, I was unaware of any such DoS vulnerability - makes for very
interesting reading.

Thanks for sharing this with the list - may be worth sending to
django-users as well.

Cal

On Thu, Dec 29, 2011 at 2:26 AM, Luciano Pacheco  wrote:

> Hi all,
>
> Have you guys seen this?
> http://www.ocert.org/advisories/ocert-2011-003.html
>
> PDF with some more explanation:
> http://www.nruns.com/_downloads/advisory28122011.pdf
>
> Regards,
> --
> Luciano Pacheco
> blog.lucmult.com.br
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To post to this group, send email to django-developers@googlegroups.com.
> To unsubscribe from this group, send email to
> django-developers+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: DoS using POST via hash algorithm collision

2011-12-29 Thread Paul McMillan

> invasive to app code.  It seems that this crafted-hash-collision
> vector doesn't have a clean answer like that.  There are workarounds,
> but they may not apply to particular codebases.

Yeah. The discussion going on over at python-dev suggests that Python
itself may actually implement support after all, which would be really
nice.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: DoS using POST via hash algorithm collision

2011-12-29 Thread Jeremy Dunck

On Thu, Dec 29, 2011 at 12:10 PM, Paul McMillan  wrote:
...
>> That seems like a simpler workaround than arch upgrade or replacing
>> dict implementation.
>
> This problem has nothing to do with slowloris.
>
> Replacing dict implementation prevents an attacker from producing keys
> which are intentionally n^2 hard for dictionary operations.

Sure, I understand these are 2 different attack vectors.  I just meant
that putting a proxy in front is a general solution that isn't
invasive to app code.  It seems that this crafted-hash-collision
vector doesn't have a clean answer like that.  There are workarounds,
but they may not apply to particular codebases.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: DoS using POST via hash algorithm collision

2011-12-29 Thread Paul McMillan

> Slow Loris can be avoided by putting a proxy capable of buffering
> requests until completion between the app server and the web, right?

Yes, use nginx or similar. Slowloris is generally not a problem when
that is properly configured.

> That seems like a simpler workaround than arch upgrade or replacing
> dict implementation.

This problem has nothing to do with slowloris.

Replacing dict implementation prevents an attacker from producing keys
which are intentionally n^2 hard for dictionary operations.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: DoS using POST via hash algorithm collision

2011-12-29 Thread Jeremy Dunck

On Thu, Dec 29, 2011 at 8:19 AM, Christophe Pettus  wrote:
...
> It's an interesting result, but I'm not sure how much to be worried about it 
> in the field.  A SlowLoris or similar attack would seem to be far more 
> effective and less implementation-dependent.

Slow Loris can be avoided by putting a proxy capable of buffering
requests until completion between the app server and the web, right?
That seems like a simpler workaround than arch upgrade or replacing
dict implementation.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: DoS using POST via hash algorithm collision

2011-12-29 Thread Daniel Sokolowski

Thanks

On Thu, Dec 29, 2011 at 11:36 AM, Alex Gaynor  wrote:

>
>
> On Thu, Dec 29, 2011 at 10:32 AM, Daniel Sokolowski <
> daniel.sokolow...@klinsight.com> wrote:
>
>> Would someone be so kind and explain why POST variables are stored in
>> hash tables? What is the reasoning behind it? Speed? Or is this simply done
>> at the Python level when using a dictionary type? Thank you
>>
>>
>> On Thu, Dec 29, 2011 at 11:19 AM, Christophe Pettus wrote:
>>
>>>
>>> On Dec 29, 2011, at 8:12 AM, Daniel Sokolowski wrote:
>>>
>>> > So this would effect django because of the CSRF token check --- which
>>> requires the hash to be regenerated before comparing it yes?
>>>
>>> No, the problem is somewhat different.  The attacker constructs a POST
>>> request in which the field names are constructed to be a degenerate case of
>>> a hash table.  Since pretty much every web framework in existence
>>> (including Django) automatically takes the incoming POST fields and inserts
>>> them into a hash table (a Python dict being implemented as a hash table),
>>> the framework will grind through this degenerate case very, very slowly.
>>>
>>> If I'm reading the paper correctly, it only applies to 32-bit Python
>>> implementations, as the 64-bit ones are not practically vulnerable to this
>>> attack.
>>>
>>> It's an interesting result, but I'm not sure how much to be worried
>>> about it in the field.  A SlowLoris or similar attack would seem to be far
>>> more effective and less implementation-dependent.
>>> --
>>> -- Christophe Pettus
>>>   x...@thebuild.com
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django developers" group.
>>> To post to this group, send email to django-developers@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>> django-developers+unsubscr...@googlegroups.com.
>>> For more options, visit this group at
>>> http://groups.google.com/group/django-developers?hl=en.
>>>
>>>
>>
>>
>> --
>> Daniel Sokolowski
>> Web Engineer
>> KL Insight
>> http://klinsight.com/
>> Tel: 613-344-2116 | Fax: 613.634.7029
>> 993 Princess Street, Suite 212
>> Kingston, ON K7L 1H3, Canada
>>
>>
>> Notice of Confidentiality:
>> The information transmitted is intended only for the person or entity to
>> which it is addressed and may contain confidential and/or privileged
>> material. Any review re-transmission dissemination or other use of or
>> taking of any action in reliance upon this information by persons or
>> entities other than the intended recipient is prohibited. If you received
>> this in error please contact the sender immediately by return electronic
>> transmission and then immediately delete this transmission including all
>> attachments without copying distributing or disclosing same.
>>  --
>> You received this message because you are subscribed to the Google Groups
>> "Django developers" group.
>> To post to this group, send email to django-developers@googlegroups.com.
>> To unsubscribe from this group, send email to
>> django-developers+unsubscr...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/django-developers?hl=en.
>>
>
> Well, what structure would you use to store them?  POST variables are
> "obviously" a mapping of key to value, and the way one does that in Python
> is generally a dict (which are presently backed by a hashtable on every
> Python VM I know of).
>
> Alex
>
> --
> "I disapprove of what you say, but I will defend to the death your right
> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The people's good is the highest law." -- Cicero
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To post to this group, send email to django-developers@googlegroups.com.
> To unsubscribe from this group, send email to
> django-developers+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: DoS using POST via hash algorithm collision

2011-12-29 Thread Alex Gaynor

On Thu, Dec 29, 2011 at 10:32 AM, Daniel Sokolowski <
daniel.sokolow...@klinsight.com> wrote:

> Would someone be so kind and explain why POST variables are stored in hash
> tables? What is the reasoning behind it? Speed? Or is this simply done at
> the Python level when using a dictionary type? Thank you
>
>
> On Thu, Dec 29, 2011 at 11:19 AM, Christophe Pettus wrote:
>
>>
>> On Dec 29, 2011, at 8:12 AM, Daniel Sokolowski wrote:
>>
>> > So this would effect django because of the CSRF token check --- which
>> requires the hash to be regenerated before comparing it yes?
>>
>> No, the problem is somewhat different.  The attacker constructs a POST
>> request in which the field names are constructed to be a degenerate case of
>> a hash table.  Since pretty much every web framework in existence
>> (including Django) automatically takes the incoming POST fields and inserts
>> them into a hash table (a Python dict being implemented as a hash table),
>> the framework will grind through this degenerate case very, very slowly.
>>
>> If I'm reading the paper correctly, it only applies to 32-bit Python
>> implementations, as the 64-bit ones are not practically vulnerable to this
>> attack.
>>
>> It's an interesting result, but I'm not sure how much to be worried about
>> it in the field.  A SlowLoris or similar attack would seem to be far more
>> effective and less implementation-dependent.
>> --
>> -- Christophe Pettus
>>   x...@thebuild.com
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django developers" group.
>> To post to this group, send email to django-developers@googlegroups.com.
>> To unsubscribe from this group, send email to
>> django-developers+unsubscr...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/django-developers?hl=en.
>>
>>
>
>
> --
> Daniel Sokolowski
> Web Engineer
> KL Insight
> http://klinsight.com/
> Tel: 613-344-2116 | Fax: 613.634.7029
> 993 Princess Street, Suite 212
> Kingston, ON K7L 1H3, Canada
>
>
> Notice of Confidentiality:
> The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review re-transmission dissemination or other use of or
> taking of any action in reliance upon this information by persons or
> entities other than the intended recipient is prohibited. If you received
> this in error please contact the sender immediately by return electronic
> transmission and then immediately delete this transmission including all
> attachments without copying distributing or disclosing same.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To post to this group, send email to django-developers@googlegroups.com.
> To unsubscribe from this group, send email to
> django-developers+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.
>

Well, what structure would you use to store them?  POST variables are
"obviously" a mapping of key to value, and the way one does that in Python
is generally a dict (which are presently backed by a hashtable on every
Python VM I know of).

Alex

-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: DoS using POST via hash algorithm collision

2011-12-29 Thread Daniel Sokolowski

Would someone be so kind and explain why POST variables are stored in hash
tables? What is the reasoning behind it? Speed? Or is this simply done at
the Python level when using a dictionary type? Thank you

On Thu, Dec 29, 2011 at 11:19 AM, Christophe Pettus wrote:

>
> On Dec 29, 2011, at 8:12 AM, Daniel Sokolowski wrote:
>
> > So this would effect django because of the CSRF token check --- which
> requires the hash to be regenerated before comparing it yes?
>
> No, the problem is somewhat different.  The attacker constructs a POST
> request in which the field names are constructed to be a degenerate case of
> a hash table.  Since pretty much every web framework in existence
> (including Django) automatically takes the incoming POST fields and inserts
> them into a hash table (a Python dict being implemented as a hash table),
> the framework will grind through this degenerate case very, very slowly.
>
> If I'm reading the paper correctly, it only applies to 32-bit Python
> implementations, as the 64-bit ones are not practically vulnerable to this
> attack.
>
> It's an interesting result, but I'm not sure how much to be worried about
> it in the field.  A SlowLoris or similar attack would seem to be far more
> effective and less implementation-dependent.
> --
> -- Christophe Pettus
>   x...@thebuild.com
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To post to this group, send email to django-developers@googlegroups.com.
> To unsubscribe from this group, send email to
> django-developers+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.
>
>


-- 
Daniel Sokolowski
Web Engineer
KL Insight
http://klinsight.com/
Tel: 613-344-2116 | Fax: 613.634.7029
993 Princess Street, Suite 212
Kingston, ON K7L 1H3, Canada


Notice of Confidentiality:
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review re-transmission dissemination or other use of or
taking of any action in reliance upon this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error please contact the sender immediately by return electronic
transmission and then immediately delete this transmission including all
attachments without copying distributing or disclosing same.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: DoS using POST via hash algorithm collision

2011-12-29 Thread Christophe Pettus

On Dec 29, 2011, at 8:12 AM, Daniel Sokolowski wrote:

> So this would effect django because of the CSRF token check --- which 
> requires the hash to be regenerated before comparing it yes?

No, the problem is somewhat different.  The attacker constructs a POST request 
in which the field names are constructed to be a degenerate case of a hash 
table.  Since pretty much every web framework in existence (including Django) 
automatically takes the incoming POST fields and inserts them into a hash table 
(a Python dict being implemented as a hash table), the framework will grind 
through this degenerate case very, very slowly.

If I'm reading the paper correctly, it only applies to 32-bit Python 
implementations, as the 64-bit ones are not practically vulnerable to this 
attack.

It's an interesting result, but I'm not sure how much to be worried about it in 
the field.  A SlowLoris or similar attack would seem to be far more effective 
and less implementation-dependent.
--
-- Christophe Pettus
   x...@thebuild.com

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: DoS using POST via hash algorithm collision

2011-12-29 Thread Daniel Sokolowski

So this would effect django because of the CSRF token check --- which
requires the hash to be regenerated before comparing it yes?

On Wed, Dec 28, 2011 at 9:26 PM, Luciano Pacheco  wrote:

> Hi all,
>
> Have you guys seen this?
> http://www.ocert.org/advisories/ocert-2011-003.html
>
> PDF with some more explanation:
> http://www.nruns.com/_downloads/advisory28122011.pdf
>
> Regards,
> --
> Luciano Pacheco
> blog.lucmult.com.br
>  --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To post to this group, send email to django-developers@googlegroups.com.
> To unsubscribe from this group, send email to
> django-developers+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.
>

-- 
Daniel Sokolowski
Web Engineer
KL Insight
http://klinsight.com/
Tel: 613-344-2116 | Fax: 613.634.7029
993 Princess Street, Suite 212
Kingston, ON K7L 1H3, Canada

Notice of Confidentiality:
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review re-transmission dissemination or other use of or
taking of any action in reliance upon this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error please contact the sender immediately by return electronic
transmission and then immediately delete this transmission including all
attachments without copying distributing or disclosing same.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: DoS using POST via hash algorithm collision

2011-12-28 Thread Russell Keith-Magee

On Thu, Dec 29, 2011 at 11:48 AM, Luciano Pacheco  wrote:
>
>
> On Thu, Dec 29, 2011 at 1:56 PM, Paul McMillan  wrote:
>>
>>
>> Even though this issue is now public, please continue report security
>> problems privately to secur...@djangoproject.com.
>
>
>
> Hi Paul,
>
> Thanks for your response.
>
> I've searched our community page for this address, before send to djang-dev
> list, but I haven't found it.
>
> https://www.djangoproject.com/community/

Thanks for the suggestion -- putting a link to the security mailing
contact on the community page definitely seems like a good idea to me.
I've just opened ticket #17479 to track this idea.

https://code.djangoproject.com/ticket/17479

For the record, the security contact is listed on the "create a new ticket page"

https://code.djangoproject.com/newticket

and in the FAQ:

https://docs.djangoproject.com/en/dev/faq/help/#i-think-i-ve-found-a-security-problem-what-should-i-do

However, it certainly doesn't hurt to have more links on our security
reporting procedures.

Yours,
Russ Magee %-)

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: DoS using POST via hash algorithm collision

2011-12-28 Thread Paul McMillan

Yes, we've seen it and are working on it. Python hasn't directly
addressed the problem (and may not - it's arguable whether it's an
application or a language-level issue), so we'll probably have to ship
our own workaround. This is a non-trivial fix.

In the meantime, workarounds include using 64 bit python, severely
limiting the length of requests your server accepts, limiting the
number of allowed parameters in a POST, and strictly limiting the
amount of time a Django process can exist before the webserver kills
it.

Fortunately, attack code has not yet been made public (if you know
otherwise please contact me privately).

Even though this issue is now public, please continue report security
problems privately to secur...@djangoproject.com.

-Paul

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

DoS using POST via hash algorithm collision

2011-12-28 Thread Luciano Pacheco

Hi all,

Have you guys seen this?
http://www.ocert.org/advisories/ocert-2011-003.html

PDF with some more explanation:
http://www.nruns.com/_downloads/advisory28122011.pdf

Regards,
-- 
Luciano Pacheco
blog.lucmult.com.br

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

RE: DoS using POST via hash algorithm collision

Re: DoS using POST via hash algorithm collision

Re: DoS using POST via hash algorithm collision

Re: DoS using POST via hash algorithm collision

Re: DoS using POST via hash algorithm collision

Re: DoS using POST via hash algorithm collision

Re: DoS using POST via hash algorithm collision

Re: DoS using POST via hash algorithm collision

Re: DoS using POST via hash algorithm collision

Re: DoS using POST via hash algorithm collision

Re: DoS using POST via hash algorithm collision

Re: DoS using POST via hash algorithm collision

Re: DoS using POST via hash algorithm collision

Re: DoS using POST via hash algorithm collision

Re: DoS using POST via hash algorithm collision

Re: DoS using POST via hash algorithm collision

DoS using POST via hash algorithm collision

17 matches

Site Navigation

Mail list logo

Footer information