Opened 9 years ago

Closed 9 years ago

#5879 closed (wontfix)

Session riding vulnerability in the admin app

Reported by: roland.illig@… Owned by: nobody
Component: contrib.admin Version: newforms-admin
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Everything that is needed to submit an HTML form like on http://127.0.0.1:8000/admin/*/*/add/ can be guessed by an attacker. Therefore, the necessary data may be included in an external web page, and as soon as an already logged-in admin visits that page, the attacker can add things to the database.

http://en.wikipedia.org/wiki/XSRF

Roland

Change History (5)

comment:1 Changed 9 years ago by Simon G <dev@…>

Triage Stage: UnreviewedAccepted
Version: SVNnewforms-admin

comment:2 Changed 9 years ago by Brian Rosner

Keywords: nfa-blocker added

Is this not being caught with the add permission check in both the add view?

comment:3 in reply to:  2 ; Changed 9 years ago by Jason Davies

Replying to brosner:

Is this not being caught with the add permission check in both the add view?

This wouldn't be caught by the add permission check, the only solution is to include some kind of token, e.g. the method used by the CSRF middleware.

comment:4 in reply to:  3 Changed 9 years ago by Alex Gaynor

Replying to esaj:

Replying to brosner:

Is this not being caught with the add permission check in both the add view?

This wouldn't be caught by the add permission check, the only solution is to include some kind of token, e.g. the method used by the CSRF middleware.

That's the point of the CSRF middleware though, we just need to make sure that users are using it, because it will protect admin as well as your own stuff.

comment:5 Changed 9 years ago by Brian Rosner

Keywords: nfa-blocker removed
Resolution: wontfix
Status: newclosed

Ok, this isn't necessarily a problem with the admin itself. As Alex pointed out that is the whole point of the CSRF middleware and the trunk admin is already doing anything to prevent this. If this is a concern in your project then look at http://www.djangoproject.com/documentation/csrf/. Please re-open if I am not right in thinking this isn't an admin specific problem, but please provide more information ;)

Note: See TracTickets for help on using tickets.
Back to Top