What I meant is that using PKCS#5 padding ("N bytes of a value of N") will make it even more susceptible to a CBC oracle attack.

I'm not nearly qualified to talk about that stuff, but instead of requiring PyCrypto maybe you should require Keyczar (http://code.google.com/p/keyczar/) and not have to worry about padding, IVs etc