id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 31747 Avoid potential admin model enumeration Daniel Maxson Jon Dufresne "When attacking a default Django server (one created with startproject is sufficient), you can enumerate the names of the applications and models by fuzzing the admin URL path. A redirect indicates that the model exists in that application, while a 404 indicates it does not. This can be done without any authentication. For example: http://127.0.0.1:8000/admin/auth/user/ -> 302 to login http://127.0.0.1:8000/admin/auth/group/ -> 302 to login http://127.0.0.1:8000/admin/auth/foo/ -> 404 I originally raised this with the security team and after some discussion they requested a public ticket for this." New feature closed contrib.admin dev Normal fixed Ready for checkin 1 0 0 0 0 0