Security Snippets : Django updated, Lua exploited, Internet scanned


  • Urgent Django Update: There’s a security update for Django released on Sunday which has been rushed out as the issue was reported on the Django developers list and thus was already public. It’s a DoS problem wherein an attacker can use very large passwords to tie up the system as it hashes the password using PBKDF2. The fixes make passwords greater than 4K automatically fail authentication.
  • Lua 5.1 exploitation: A detailed post on GitHub’s Gists looks at the process of escaping the Lua 5.1 sandbox on a 32-bit Windows system explaining how the exploit works and loads a DLL from within the what should be a locked-down environment. An interesting read for a “whirlwind tour” of the Lua VM involved.
  • Fast scanning the net: Errata Security’s Robert Graham talks about Masscan, his port scanning software which can scan “the entire internet in 3 minutes” using only a quad core desktop processor… oh and a dual port 10Gbps Ethernet card. Want to do that yourself? You can read the source at GitHub along with even more details about how to build the program. But don’t assume its open source – the License says you have no permission to use or run it (and yes, we’ve asked and we’ll update when we know more).