[Python-modules-team] Bug#686104: python-django-registration: Not compatible with, Django 1.4.
Winfried Tilanus
winfried at tilanus.com
Fri Aug 31 07:36:42 UTC 2012
On 08/31/2012 08:41 AM, Raphael Hertzog wrote:
> What openly available data are you referring to?
The hash calculated in django-registration is send out to people
registering a new account, as part of the url to click on when
confirming the registration of a new account. It is used as identifier
in the communication. So if you are able to calculate a collision in it,
you might do things like:
- register an account on a non-existing e-mail address
- register an account on the e-mail address of somebody else
- confirm a registration request of somebody else
Note the contrast with the use of hashes in the password storage (the
use of SHA1 that is depreciated in Django 1.4). In a password storage
the use of hashes is a second line of defense: to avoid compromise of
the passwords after a compromise of the database. The use of hashes in
django-registration is first line of defense.
Calculating a collision with SHA1 is demonstrated in proof of concept.
Right now it would probably still be impossible or at worst not be
practical to launch such an attack against django-registration. But
because cryptographic weaknesses tend to become more and more
exploitable over time, I regard the use of SHA1 in
python-django-registration 0.7.1 as a ticking time bomb.
Winfried
More information about the Python-modules-team
mailing list