Opened 13 years ago

Closed 13 years ago

#17482 closed Bug (invalid)

Hashmap Denial of Service

Reported by: guillermocolmenero@… Owned by: Guillermo Colmenero
Component: HTTP handling Version: 1.3
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Hey, there is a common flaw in the implementation of most of the popular web programming languages and platforms (including PHP, ASP.NET, Java, etc.), and can be used to force web application servers to use 99% of CPU for several minutes to hours for a single HTTP request.

http://youtu.be/R2Cq3CLI6H8

Pleas try to patch to avoid being attacked.

Change History (1)

comment:1 by Paul McMillan, 13 years ago

Has patch: unset
Keywords: dos attack removed
Resolution: invalid
Status: newclosed

Thank you for your bug report.

We are aware of this issue, and are working to resolve it at several levels. Currently, we believe the fundamental fix needs to come from Python rather than Django. The fix recommended by the presenters (limiting POST requests) only resolves the most obvious form of the bug, leaving applications open to other attacks using the same fundamental flaw. Their recommended fix should be applied at the webserver level (nginx or apache), before the request arrives in Django.

We are working with the Python team to resolve this, and may issue a security advisory or patch regarding this if the Python response does not fully resolve the problem in a timely fashion. In the meantime, strictly limiting the length of allowed requests, strictly limiting the amount of time a process can run, and using 64 bit Python will all help mitigate the issue. For further discussion, please see the mailing list:

https://groups.google.com/group/django-developers/browse_thread/thread/915363a31f322c8a

As always, if you believe you are reporting a security issue for Django, please follow the instructions at the top of the new ticket window and report it privately to security@… instead of opening a public ticket.

Note: See TracTickets for help on using tickets.
Back to Top