Opened 14 years ago

Closed 14 years ago

#14032 closed (fixed)

CSRF cookie value is marked as safe and inserted in the HTML unchecked

Reported by: André Cruz Owned by: Luke Plant
Component: Core (Other) Version: 1.2
Severity: Keywords: security csrf
Cc: clouserw@… Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The value of the CSRF Cookie is inserted, unescaped, in the HTML. According to django/template/defaulttags.py:

class CsrfTokenNode(Node):
    def render(self, context):
        csrf_token = context.get('csrf_token', None)
        if csrf_token:
            if csrf_token == 'NOTPROVIDED':
                return mark_safe(u"")
            else:
                return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % (csrf_token))

This csrf_token value is the value of the token. There are scenarios when a subdomain attacker can set the CSRF cookie for the whole domain and this ends up in the victim's site. The cookie value is never reset so it can even be used to persist a XSS attack. Also, the CSRF cookie should also support the option to be a secure and/or httponly cookie.

Change History (5)

comment:1 by Luke Plant, 14 years ago

Owner: changed from nobody to Luke Plant
Status: newassigned

As stated in the documentation, our CSRF mechanism is not safe against subdomain CSRF attacks. Nevertheless, it would be good to make it safe against subdomain XSS attacks.

Please open a different ticket for the request to have secure/httponly cookies, with a rationale for those features.

Thanks!

comment:2 by André Cruz, 14 years ago

The documentation specifies that subdomains can circumvent the CSRF protection, which is a lot different than saying that subdomains can insert HTML at will in your site.

in reply to:  2 comment:3 by Luke Plant, 14 years ago

Replying to edevil:

The documentation specifies that subdomains can circumvent the CSRF protection, which is a lot different than saying that subdomains can insert HTML at will in your site.

That's exactly what I was saying - I accepted the ticket. I was merely warning that Django in general is not secure against untrusted subdomains. We are also vulnerable to session fixation attacks from untrusted subdomains (something I do not know any solution for).

However, since this is security related, for future reference it would be better to follow the guidelines here for a bug like this: http://docs.djangoproject.com/en/dev/internals/contributing/#reporting-security-issues

I will make sure these procedures are followed with this bug (apart from the fact that the bug is already publicly visible), and the core developers will discuss what needs to be done.

comment:4 by Wil Clouser, 14 years ago

Cc: clouserw@… added

comment:5 by Luke Plant, 14 years ago

Resolution: fixed
Status: assignedclosed

This has been fixed in [13698] (trunk) and [13699] (1.2.X), with a security release.

Note: See TracTickets for help on using tickets.
Back to Top