id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31747	Avoid potential admin model enumeration	Daniel Maxson	Jon Dufresne	"When attacking a default Django server (one created with startproject is sufficient), you can enumerate the names of the applications and models by fuzzing the admin URL path. A redirect indicates that the model exists in that application, while a 404 indicates it does not. This can be done without any authentication. For example:

http://127.0.0.1:8000/admin/auth/user/ -> 302 to login
http://127.0.0.1:8000/admin/auth/group/ -> 302 to login
http://127.0.0.1:8000/admin/auth/foo/ -> 404

I originally raised this with the security team and after some discussion they requested a public ticket for this."	New feature	closed	contrib.admin	dev	Normal	fixed			Ready for checkin	1	0	0	0	0	0