[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
django in combination with mod wsgi on apache on default debian and ubuntu installations does not place any bounds on the maximum size of a file upload
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: django in combination with mod wsgi on apache on default debian and ubuntu installations does not place any bounds on the maximum size of a file upload
- From: dave b <db.pub.mail@xxxxxxxxx>
- Date: Tue, 31 Aug 2010 12:09:51 +1000
- Delivered-to: mailing list bugtraq@xxxxxxxxxxxxxxxxx
- Delivered-to: moderator for bugtraq@xxxxxxxxxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:from:date :message-id:subject:to:content-type; bh=V5QtibMNBxuOc56gcjYQxFfkiJDZJReQBEgm3Gu+O5A=; b=f+Jid3goCWtlbv+UZlp0s+Hqe5ox8W7YHXP5K8QCs6wuo7T6CjdP+WbFRR6pkPOI41 S/VGKDQEpyiQOsYeTIOjTd+BSheNVvtTnalribR6mBiZLQs5Eotgu8JDp/KOpnKFZr8W JeWCIijAyB3z1nl/vFzdlBMJUJVflQX+4ecOg=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=WNstrWlnZKf+yy/DsUG3Brpj/62J4kjqx6iv5kSS5wuieUKHzXKc3t9Fo8RxB0ydJd l/fHJmJ6g1WqhZgEzdC6oL03RMpHQDvrustekUj+EQRfdr9+PANvihtO67Lc5f4hF6DM q8nzeqzlWZo3K5YNb+LlM2qk7ulYotr0srTgM=
- List-help: <mailto:email@example.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:firstname.lastname@example.org>
- List-subscribe: <mailto:email@example.com>
- List-unsubscribe: <mailto:firstname.lastname@example.org>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
In the default setup of wsgi, apache and django (at least on
ubuntu and debian) by default there are no limits on the size of a
file that an attacker can upload.
http://cwe.mitre.org/top25/#CWE-770 and see example 2 at
If you have your Apache install configured to accept arbitrarily sized
uploads, your Apache install will accept arbitrarily sized uploads.
This should not be surprising behavior.
If Debian or Ubuntu are packaging Apache with this as the default
behavior, that's an issue for Debian and Ubuntu to manage. This
doesn't make *Django* insecure -- it makes the default install of
*Apache* insecure on those platforms. *Any* application deployed using
*any* framework would be subject to the same attack. And the attack
can be completely avoided by correctly configuring Apache.
And, for the record, the fact that Ubuntu or Debian have chosen these
defaults doesn't make Apache insecure either. System defaults exist to
make it easy and obvious to get something started. A responsible
sysadmin for a public-facing webserver shouldn't be using *any*
OS-provided defaults without auditing them. To aid that process, the
Django project is in a position to describe the sorts of issues that a
sysadmin should watch out for; hence, documenting deployment-related
security issues such as this one is in scope.
However, at the end of the day, as Graham and I have *repeatedly* told
you -- this is an issue that should be caught at the webserver, not at
the application level. Even if we weren't talking about duplicating
functionality (and we are), there are both practical and technical
reasons why it is inappropriate for Django to implement file-upload
size restrictions. This problem can be avoided with appropriate
configuration of your web server, and therefore should be.
Alas, how love can trifle with itself! -- William Shakespeare, "The
Two Gentlemen of Verona"