AOH :: HP Unsorted D :: TB13192.HTM

Django 0.96 (stable) Admin Panel CSRF



Django 0.96 (stable) Admin Panel CSRF
Django 0.96 (stable) Admin Panel CSRF




Author: J. Carlos Nieto.
Date: Oct 21, 2007

There exists a security hole in the default django's admin panel.

Background
=========Django is a high-level Python Web framework that encourages rapid
development and clean, pragmatic design.
Django has an automatic admin panel that allows a person with admin
privileges to modify the database tables, it allows to change any user
password too.
See more at http://www.djangoproject.com 

Summary
======django has, by default, no CSRF protection, this may allow an attacker
to change any user password by tricking a victim with admin privileges
into a special forged web page (even in a a totally different server)
that sends a request to change the password of the user with id = n. The
victim does not know that the form was sent. If the victim has admin
privileges the exploit will succeed, otherwise nothing will happen.

Severity
=======Mild. This problem exists only with the default installation and can be
easily solved using a middleware found in here:
http://www.djangoproject.com/documentation/csrf/. 

Proof of concept
===============




Solution
=======Use the django's CSRF protection in all your applications. Take a look
at http://www.djangoproject.com/documentation/csrf/. 


Disclosure Timeline
==================2007.10.18 - Vulnerability found
2007.10.18 - Vulnerability reported to vendor
2007.10.18 - Vendor response
2007.10.21 - Advisory release

License
======
Copyright 2007 J. Carlos Nieto

The contents of this document are licensed under the Creative Commons -
Attribution / Share Alike license.



The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.