Session riding vulnerability in the admin app

[roland.illig@…]

Everything that is needed to submit an HTML form like on ​http://127.0.0.1:8000/admin/*/*/add/ can be guessed by an attacker. Therefore, the necessary data may be included in an external web page, and as soon as an already logged-in admin visits that page, the attacker can add things to the database.

​http://en.wikipedia.org/wiki/XSRF

Roland

[Brian Rosner]

Is this not being caught with the add permission check in both the add view?

[Jason Davies]

Replying to brosner:

Is this not being caught with the add permission check in both the add view?

This wouldn't be caught by the add permission check, the only solution is to include some kind of token, e.g. the method used by the ​CSRF middleware.

[Alex Gaynor]

Replying to esaj:

Replying to brosner:

Is this not being caught with the add permission check in both the add view?

This wouldn't be caught by the add permission check, the only solution is to include some kind of token, e.g. the method used by the ​CSRF middleware.

That's the point of the CSRF middleware though, we just need to make sure that users are using it, because it will protect admin as well as your own stuff.

[Brian Rosner]

Ok, this isn't necessarily a problem with the admin itself. As Alex pointed out that is the whole point of the CSRF middleware and the trunk admin is already doing anything to prevent this. If this is a concern in your project then look at ​http://www.djangoproject.com/documentation/csrf/. Please re-open if I am not right in thinking this isn't an admin specific problem, but please provide more information ;)