14 DAY TRIAL // The Django Software Foundation has released Django 1.4.8, Django 1.5.4, and Django 1.6 beta 4. Users are advised to download the latest versions as soon as possible because of a vulnerability that can be used to launch denial-of-service (DOS) attacks against the authentication framework.
Experts often advise users to set long and strong passwords to make sure they’re hard to guess or crack. However, sometimes it’s not recommended to choose too long passwords.
In the case of Django, PBKDF2 hashes are used to make sure passwords are difficult to crack. While this is a complex method, it also has its downsides.
“Django does not impose any maximum on the length of the plaintext password, meaning that an attacker can simply submit arbitrarily large -- and guaranteed-to-fail -- passwords, forcing a server running Django to perform the resulting expensive hash computation in an attempt to check the password,” reads the advisory from Django.
“A password one megabyte in size, for example, will require roughly one minute of computation to check when using the PBKDF2 hasher. This allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes.”
In order to address the issue, the authentication framework has been configured to automatically reject login attempts for passwords that exceed 4096 bytes.
The vulnerability (CVE-2013-1443) affects the Django master development branch, Django 1.4, 1.5 and 1.6, which is currently at beta status.
Django developers warn that updating to the latest version is also critical because the details of the vulnerability haven’t been reported to them directly. Instead, they’ve been made publicly available on the django-developers mailing list.
Security experts who identify Django flaws are advised to report them via email to security (at) djangoproject(dot)com.