r8-forks / webapp-improved

Automatically exported from code.google.com/p/webapp-improved
Other
0 stars 0 forks source link

webapp2_extract.security.hash_password arbitrary hash method can lead to denial of service attack #87

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
When creating a password hash (e.g. when authenticating the user-supplied 
password) webapp2 uses the following code snippet:

    method = getattr(hashlib, method, None)
    if not method:
        return None

    if salt:
        h = hmac.new(webapp2._to_utf8(salt), password, method)
    else:
        h = method(password)

Parameter 'method' comes from user password hash stored in NDB. If (for 
whatever reason) the password hash from NDB comes from untrusted source, the 
attacker can abuse it to plant e.g. the following password hash:

anything$__delattr__$

And use e.g. 'sha1' as the password. This will effectively be:

method = getattr(hashlib, '__delattr__', None)
method('sha1')

removing the hashlib.sha1 function, breaking the cookie signature verification 
and authentication attempts for all other users until application restarts. 

Before using getattr(hashlib()) one should verify that the method:
 - is not in ['new', 'algorithms']
 - does not start with "_" 

Original issue reported on code.google.com by kkotowicz on 16 Dec 2013 at 11:52