Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#20078 closed Bug (fixed)

Users with change-user permission in the admin can use filtering to reveal password hash

Reported by: Jacob Owned by: nobody
Component: contrib.auth Version: 1.5
Severity: Release blocker Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


?password__startswith=p       // the hash is startswith p
?password__startswith=pd     // the hash is startswith pd
?password__startswith=pdk   // the hash is startswith pdk
?password__startswith=pdka // the hash is not startswith pdka

I can get the password hash in auth_user database.

We previously disallowed arbitrary lookups traversing to other models, but that was different because it bypassed the permissions system. In this case, only users who already have user-change perms (which already means they have full admin access, since they can set any user they want to superuser status and change their password) can potentially gain access to a user's current password hash (which itself is probably out of their capacity to break now that we use strong hashing).

Anssi points out it would be easy to just do this on UserAdmin:

def lookup_allowed(self, lookup, value):

if lookup.startswith('password'):

return False

return super(UserAdmin, self).lookup_allowed(lookup, value)

Change History (5)

comment:1 by Russell Keith-Magee, 11 years ago

For purposes of credit - the original report was made by Orange Tsai <orange.8361@…>

comment:3 by Jacob Kaplan-Moss <jacob@…>, 11 years ago

Resolution: fixed
Status: newclosed

In 9e462f810194800af30ea19a6fb8ac5697d839b4:

Fixed #20078: don't allow filtering on password in the user admin.

comment:4 by Jacob Kaplan-Moss <jacob@…>, 11 years ago

In 95b88fd4ece30536f331f5bba483fe9d937a73ae:

Merge pull request #967 from jacobian/ticket/20078-admin-user-password-filtering

Fixed #20078: don't allow filtering on password in the user admin.

comment:5 by Jacob Kaplan-Moss <jacob@…>, 11 years ago

In 87f48607184ca3688ad1c0376aa0bfe27668c63b:

[1.5.x] Fixed #20078: don't allow filtering on password in the user admin.

Backport of 9e462f810194800af30ea19a6fb8ac5697d839b4 from master.

Note: See TracTickets for help on using tickets.
Back to Top