Opened 17 years ago
Closed 17 years ago
#5879 closed (wontfix)
Session riding vulnerability in the admin app
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | contrib.admin | Version: | newforms-admin |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Accepted | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Everything that is needed to submit an HTML form like on http://127.0.0.1:8000/admin/*/*/add/ can be guessed by an attacker. Therefore, the necessary data may be included in an external web page, and as soon as an already logged-in admin visits that page, the attacker can add things to the database.
http://en.wikipedia.org/wiki/XSRF
Roland
Change History (5)
comment:1 by , 17 years ago
Triage Stage: | Unreviewed → Accepted |
---|---|
Version: | SVN → newforms-admin |
follow-up: 3 comment:2 by , 17 years ago
Keywords: | nfa-blocker added |
---|
follow-up: 4 comment:3 by , 17 years ago
Replying to brosner:
Is this not being caught with the add permission check in both the add view?
This wouldn't be caught by the add permission check, the only solution is to include some kind of token, e.g. the method used by the CSRF middleware.
comment:4 by , 17 years ago
Replying to esaj:
Replying to brosner:
Is this not being caught with the add permission check in both the add view?
This wouldn't be caught by the add permission check, the only solution is to include some kind of token, e.g. the method used by the CSRF middleware.
That's the point of the CSRF middleware though, we just need to make sure that users are using it, because it will protect admin as well as your own stuff.
comment:5 by , 17 years ago
Keywords: | nfa-blocker removed |
---|---|
Resolution: | → wontfix |
Status: | new → closed |
Ok, this isn't necessarily a problem with the admin itself. As Alex pointed out that is the whole point of the CSRF middleware and the trunk admin is already doing anything to prevent this. If this is a concern in your project then look at http://www.djangoproject.com/documentation/csrf/. Please re-open if I am not right in thinking this isn't an admin specific problem, but please provide more information ;)
Is this not being caught with the add permission check in both the add view?