#31747 closed New feature (fixed)
Avoid potential admin model enumeration
| Reported by: | Daniel Maxson | Owned by: | Jon Dufresne |
|---|---|---|---|
| Component: | contrib.admin | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
When attacking a default Django server (one created with startproject is sufficient), you can enumerate the names of the applications and models by fuzzing the admin URL path. A redirect indicates that the model exists in that application, while a 404 indicates it does not. This can be done without any authentication. For example:
http://127.0.0.1:8000/admin/auth/user/ -> 302 to login
http://127.0.0.1:8000/admin/auth/group/ -> 302 to login
http://127.0.0.1:8000/admin/auth/foo/ -> 404
I originally raised this with the security team and after some discussion they requested a public ticket for this.
Change History (12)
comment:1 by , 4 years ago
| Summary: | Model enumeration → Avoid potential admin model enumeration |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
| Type: | Bug → New feature |
comment:2 by , 4 years ago
| Has patch: | set |
|---|
We might add an attribute ala final_catch_all_pattern = True to AdminSite
I used this approach in https://github.com/django/django/pull/13134
comment:3 by , 4 years ago
| Patch needs improvement: | set |
|---|---|
| Version: | 3.0 → master |
comment:4 by , 4 years ago
| Patch needs improvement: | unset |
|---|
PR is adjusted. Putting back in the queue.
comment:5 by , 4 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:6 by , 4 years ago
| Patch needs improvement: | set |
|---|
I'm going to mark as Patch needs improvement for the moment. There's some discussion on the PR as to the best way forwards ref a break of APPEND_SLASH behaviour for the admin.
It looks like we can make it work for non-staff users well enough, but there's an edge-case for staff-users with a missing permission. I would propose to move forward with that solution as a win now.
We can then come back to the more difficult question of changing the APPEND_SLASH behaviour for the admin, which probably needs more discussion to get right.
comment:8 by , 4 years ago
| Patch needs improvement: | set |
|---|
There are various options on the PR to maintain the historic APPEND_SLASH behavior for the admin catchall view to only staff users, with options for exactly how we allow users to control that on a per ModelAdmin or per AdminSite basis.
Spectrum of options would then be:
Redirect only for staff. (Default.)
Turn off per model admin overriding get_urls()
Optionally: Turn off per model admin with flag &/or Turn off at Admin site with flag.
Set APPEND_SLASH=False.
All of which solve the problem of unauthenticated enumeration of existing models via URL admin redirect behavior, but don't require removing APPEND_SLASH itself.
comment:9 by , 4 years ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
OK, we're ready to go here, bar a TB decision on whether AdminSite.append_slash should default to True (keeping the current behaviour) or False (defaulting to off) for which the thread is here: https://groups.google.com/g/django-developers/c/XW6fsFkbFrY
Going to mark RFC just to keep out of the way while we wait for a decision.
comment:10 by , 4 years ago
| Patch needs improvement: | unset |
|---|
Thanks Daniel.
Pasting here extracts from the security team discussion. This idea of adding a
final_catch_all_patternseems most likely: