Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#15845 closed Bug (invalid)

CSRF validation leak

Reported by: Jay <jay.shure@…> Owned by: nobody
Component: CSRF Version: 1.3
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description (last modified by russellm)

The CSRF validation compares request.COOKIES[settings.CSRF_COOKIE_NAME] and request.POST.get('csrfmiddlewaretoken', ) to see if a request is legal. But unfortunately both two values are provided by the client side, and they are the same. So it is easy for attackers to fake a request that no 403 will be thrown.

The attached project provides one url entry that returns "ok", unless CSRF fails. Following cmds show how to cheat.

# 200

# 200
curl -G -d test=test

# 403
curl -d test=test

# 200
curl -d "test=test;csrfmiddlewaretoken=1" -b csrftoken=1

Attachments (1)

csrfleak.tar.bz2 (1018 bytes) - added by Jay <jay.shure@…> 4 years ago.

Download all attachments as: .zip

Change History (3)

Changed 4 years ago by Jay <jay.shure@…>

comment:1 Changed 4 years ago by lukeplant

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

This does not result in a CSRF vulnerability. curl is irrelevant - CSRF is about browsers being abused.

comment:2 Changed 4 years ago by russellm

  • Description modified (diff)

I would also point out that if you even *suspect* that you have found a security issue with Django, *DO NOT* report it in Trac. Mail security@… instead.

Note: See TracTickets for help on using tickets.
Back to Top