Users with change-user permission in the admin can use filtering to reveal password hash
|Reported by:||jacob||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
?password__startswith=p // the hash is startswith p ?password__startswith=pd // the hash is startswith pd ?password__startswith=pdk // the hash is startswith pdk ?password__startswith=pdka // the hash is not startswith pdka ....
I can get the password hash in auth_user database.
We previously disallowed arbitrary lookups traversing to other models, but that was different because it bypassed the permissions system. In this case, only users who already have user-change perms (which already means they have full admin access, since they can set any user they want to superuser status and change their password) can potentially gain access to a user's current password hash (which itself is probably out of their capacity to break now that we use strong hashing).
Anssi points out it would be easy to just do this on UserAdmin:
def lookup_allowed(self, lookup, value):
return super(UserAdmin, self).lookup_allowed(lookup, value)
Change History (5)
comment:3 Changed 2 years ago by Jacob Kaplan-Moss <jacob@…>
- Resolution set to fixed
- Status changed from new to closed