lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AANLkTik87Gv_ZQ+_7=i=L0-qKx0mjNJwjOtPVVpXrNiv@mail.gmail.com>
Date: Tue, 31 Aug 2010 12:09:51 +1000
From: dave b <db.pub.mail@...il.com>
To: bugtraq@...urityfocus.com
Subject: django in combination with mod wsgi on apache on default debian and
 ubuntu installations does not place any bounds on the maximum size of a file upload

Summary:
In the default setup of wsgi, apache and django (at least on
ubuntu and debian) by default there are no limits on the size of a
file that an attacker can upload.
http://cwe.mitre.org/top25/#CWE-770 and see example 2 at
http://cwe.mitre.org/data/definitions/770.html

Vendor response:
"
If you have your Apache install configured to accept arbitrarily sized
uploads, your Apache install will accept arbitrarily sized uploads.
This should not be surprising behavior.

If Debian or Ubuntu are packaging Apache with this as the default
behavior, that's an issue for Debian and Ubuntu to manage. This
doesn't make *Django* insecure -- it makes the default install of
*Apache* insecure on those platforms. *Any* application deployed using
*any* framework would be subject to the same attack. And the attack
can be completely avoided by correctly configuring Apache.

And, for the record, the fact that Ubuntu or Debian have chosen these
defaults doesn't make Apache insecure either. System defaults exist to
make it easy and obvious to get something started. A responsible
sysadmin for a public-facing webserver shouldn't be using *any*
OS-provided defaults without auditing them. To aid that process, the
Django project is in a position to describe the sorts of issues that a
sysadmin should watch out for; hence, documenting deployment-related
security issues such as this one is in scope.

However, at the end of the day, as Graham and I have *repeatedly* told
you -- this is an issue that should be caught at the webserver, not at
the application level. Even if we weren't talking about duplicating
functionality (and we are), there are both practical and technical
reasons why it is inappropriate for Django to implement file-upload
size restrictions. This problem can be avoided with appropriate
configuration of your web server, and therefore should be.
"

--
Alas, how love can trifle with itself!		-- William Shakespeare, "The
Two Gentlemen of Verona"

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ