Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#15845 closed Bug (invalid)

CSRF validation leak

Reported by: Jay <jay.shure@…> Owned by: nobody
Component: CSRF Version: 1.3
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description (last modified by Russell Keith-Magee)

The CSRF validation compares request.COOKIES[settings.CSRF_COOKIE_NAME] and request.POST.get('csrfmiddlewaretoken', ) to see if a request is legal. But unfortunately both two values are provided by the client side, and they are the same. So it is easy for attackers to fake a request that no 403 will be thrown.

The attached project provides one url entry that returns "ok", unless CSRF fails. Following cmds show how to cheat.

# 200
curl http://127.0.0.1:8000

# 200
curl -G -d test=test http://127.0.0.1:8000

# 403
curl -d test=test http://127.0.0.1:8000

# 200
curl -d "test=test;csrfmiddlewaretoken=1" -b csrftoken=1  http://127.0.0.1:8000

Attachments (1)

csrfleak.tar.bz2 (1018 bytes) - added by Jay <jay.shure@…> 5 years ago.

Download all attachments as: .zip

Change History (3)

Changed 5 years ago by Jay <jay.shure@…>

Attachment: csrfleak.tar.bz2 added

comment:1 Changed 5 years ago by Luke Plant

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Resolution: invalid
Status: newclosed

This does not result in a CSRF vulnerability. curl is irrelevant - CSRF is about browsers being abused.

comment:2 Changed 5 years ago by Russell Keith-Magee

Description: modified (diff)

I would also point out that if you even *suspect* that you have found a security issue with Django, *DO NOT* report it in Trac. Mail security@… instead.

Note: See TracTickets for help on using tickets.
Back to Top