James Bennett, a Django developer said that the Framework is using a PBKDF algorithm for password hashing making ‘brute force’ attack to be impossible.
But Bennett reveals in a blog post, “this complexity can also be used as an attack vector. Django does not impose any maximum on the length of the plaintext password, meaning that an attacker can simply submit arbitrarily large — and guaranteed-to-fail — passwords, forcing a server running Django to perform the resulting expensive hash computation in an attempt to check the password. A password one megabyte in size, for example, will require roughly one minute of computation to check when using the PBKDF2 hasher.”
“This allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes,” he further explained.
The flaw was disclosed to the public via Django mailer list forcing its developers to fix the issue ASAP. Luckily, it only took them a day.
Security experts who identify Django flaws are advised next time to report them via email to security (at) djangoproject(dot)com.