Code

Opened 4 years ago

Closed 4 years ago

#14032 closed (fixed)

CSRF cookie value is marked as safe and inserted in the HTML unchecked

Reported by: edevil Owned by: lukeplant
Component: Core (Other) Version: 1.2
Severity: Keywords: security csrf
Cc: clouserw@… Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

The value of the CSRF Cookie is inserted, unescaped, in the HTML. According to django/template/defaulttags.py:

class CsrfTokenNode(Node):
    def render(self, context):
        csrf_token = context.get('csrf_token', None)
        if csrf_token:
            if csrf_token == 'NOTPROVIDED':
                return mark_safe(u"")
            else:
                return mark_safe(u"<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='%s' /></div>" % (csrf_token))

This csrf_token value is the value of the token. There are scenarios when a subdomain attacker can set the CSRF cookie for the whole domain and this ends up in the victim's site. The cookie value is never reset so it can even be used to persist a XSS attack. Also, the CSRF cookie should also support the option to be a secure and/or httponly cookie.

Attachments (0)

Change History (5)

comment:1 Changed 4 years ago by lukeplant

  • Needs documentation unset
  • Needs tests unset
  • Owner changed from nobody to lukeplant
  • Patch needs improvement unset
  • Status changed from new to assigned

As stated in the documentation, our CSRF mechanism is not safe against subdomain CSRF attacks. Nevertheless, it would be good to make it safe against subdomain XSS attacks.

Please open a different ticket for the request to have secure/httponly cookies, with a rationale for those features.

Thanks!

comment:2 follow-up: Changed 4 years ago by edevil

The documentation specifies that subdomains can circumvent the CSRF protection, which is a lot different than saying that subdomains can insert HTML at will in your site.

comment:3 in reply to: ↑ 2 Changed 4 years ago by lukeplant

Replying to edevil:

The documentation specifies that subdomains can circumvent the CSRF protection, which is a lot different than saying that subdomains can insert HTML at will in your site.

That's exactly what I was saying - I accepted the ticket. I was merely warning that Django in general is not secure against untrusted subdomains. We are also vulnerable to session fixation attacks from untrusted subdomains (something I do not know any solution for).

However, since this is security related, for future reference it would be better to follow the guidelines here for a bug like this: http://docs.djangoproject.com/en/dev/internals/contributing/#reporting-security-issues

I will make sure these procedures are followed with this bug (apart from the fact that the bug is already publicly visible), and the core developers will discuss what needs to be done.

comment:4 Changed 4 years ago by clouserw

  • Cc clouserw@… added

comment:5 Changed 4 years ago by lukeplant

  • Resolution set to fixed
  • Status changed from assigned to closed

This has been fixed in [13698] (trunk) and [13699] (1.2.X), with a security release.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.