Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#20078 closed Bug (fixed)

Users with change-user permission in the admin can use filtering to reveal password hash

Reported by: jacob Owned by: nobody
Component: contrib.auth Version: 1.5
Severity: Release blocker Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

?password__startswith=p       // the hash is startswith p
?password__startswith=pd     // the hash is startswith pd
?password__startswith=pdk   // the hash is startswith pdk
?password__startswith=pdka // the hash is not startswith pdka
....

I can get the password hash in auth_user database.

We previously disallowed arbitrary lookups traversing to other models, but that was different because it bypassed the permissions system. In this case, only users who already have user-change perms (which already means they have full admin access, since they can set any user they want to superuser status and change their password) can potentially gain access to a user's current password hash (which itself is probably out of their capacity to break now that we use strong hashing).

Anssi points out it would be easy to just do this on UserAdmin:

def lookup_allowed(self, lookup, value):

if lookup.startswith('password'):

return False

return super(UserAdmin, self).lookup_allowed(lookup, value)

Change History (5)

comment:1 Changed 2 years ago by russellm

For purposes of credit - the original report was made by Orange Tsai <orange.8361@…>

comment:3 Changed 2 years ago by Jacob Kaplan-Moss <jacob@…>

  • Resolution set to fixed
  • Status changed from new to closed

In 9e462f810194800af30ea19a6fb8ac5697d839b4:

Fixed #20078: don't allow filtering on password in the user admin.

comment:4 Changed 2 years ago by Jacob Kaplan-Moss <jacob@…>

In 95b88fd4ece30536f331f5bba483fe9d937a73ae:

Merge pull request #967 from jacobian/ticket/20078-admin-user-password-filtering

Fixed #20078: don't allow filtering on password in the user admin.

comment:5 Changed 2 years ago by Jacob Kaplan-Moss <jacob@…>

In 87f48607184ca3688ad1c0376aa0bfe27668c63b:

[1.5.x] Fixed #20078: don't allow filtering on password in the user admin.

Backport of 9e462f810194800af30ea19a6fb8ac5697d839b4 from master.

Note: See TracTickets for help on using tickets.
Back to Top