Opened 14 years ago
Closed 14 years ago
#14032 closed (fixed)
CSRF cookie value is marked as safe and inserted in the HTML unchecked
| Reported by: | André Cruz | Owned by: | Luke Plant |
|---|---|---|---|
| Component: | Core (Other) | Version: | 1.2 |
| Severity: | Keywords: | security csrf | |
| Cc: | clouserw@… | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The value of the CSRF Cookie is inserted, unescaped, in the HTML. According to django/template/defaulttags.py:
class CsrfTokenNode(Node):
def render(self, context):
csrf_token = context.get('csrf_token', None)
if csrf_token:
if csrf_token == 'NOTPROVIDED':
return mark_safe(u"")
else:
return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % (csrf_token))
This csrf_token value is the value of the token. There are scenarios when a subdomain attacker can set the CSRF cookie for the whole domain and this ends up in the victim's site. The cookie value is never reset so it can even be used to persist a XSS attack. Also, the CSRF cookie should also support the option to be a secure and/or httponly cookie.
Change History (5)
comment:1 by , 14 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
follow-up: 3 comment:2 by , 14 years ago
The documentation specifies that subdomains can circumvent the CSRF protection, which is a lot different than saying that subdomains can insert HTML at will in your site.
comment:3 by , 14 years ago
Replying to edevil:
The documentation specifies that subdomains can circumvent the CSRF protection, which is a lot different than saying that subdomains can insert HTML at will in your site.
That's exactly what I was saying - I accepted the ticket. I was merely warning that Django in general is not secure against untrusted subdomains. We are also vulnerable to session fixation attacks from untrusted subdomains (something I do not know any solution for).
However, since this is security related, for future reference it would be better to follow the guidelines here for a bug like this: http://docs.djangoproject.com/en/dev/internals/contributing/#reporting-security-issues
I will make sure these procedures are followed with this bug (apart from the fact that the bug is already publicly visible), and the core developers will discuss what needs to be done.
comment:4 by , 14 years ago
| Cc: | added |
|---|
comment:5 by , 14 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
As stated in the documentation, our CSRF mechanism is not safe against subdomain CSRF attacks. Nevertheless, it would be good to make it safe against subdomain XSS attacks.
Please open a different ticket for the request to have secure/httponly cookies, with a rationale for those features.
Thanks!