#36651: Security concerrn in ModelBackend
-------------------------------------+-------------------------------------
Reporter: heindrickdumdum0217 | Owner: (none)
Type: Bug | Status: closed
Component: contrib.auth | Version: 5.2
Severity: Normal | Resolution: invalid
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
* resolution: => invalid
* status: new => closed
Comment:
As mentioned in the ticket submission form, security-related reports are
not to be submitted here. They should be sent to
[email protected] instead.
That said, we do not consider this a security issue. If the user is
active, brute-forcing the password results in successful authentication.
The techniques to protect against this are well-known, including requiring
strong passwords and rate-limiting requests to authentication endpoints.
Here you have raised the case where the user is inactive and
authentication does not succeed, but the correctness of the password can
be inferred from the variance in the error. But in the active user case,
it's already "game over" if the password can be brute-forced. We wouldn't
add complexity to treat the inactive user case differently. Moreover,
reversing the order of conditions could cause an account enumeration
attack, see #20760.
--
Ticket URL: <https://code.djangoproject.com/ticket/36651#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/01070199c8a06da1-87d949a6-0646-482a-8755-a9a09146c849-000000%40eu-central-1.amazonses.com.
