Code

Opened 6 years ago

Closed 6 years ago

#5879 closed (wontfix)

Session riding vulnerability in the admin app

Reported by: roland.illig@… Owned by: nobody
Component: contrib.admin Version: newforms-admin
Severity: Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Everything that is needed to submit an HTML form like on http://127.0.0.1:8000/admin/*/*/add/ can be guessed by an attacker. Therefore, the necessary data may be included in an external web page, and as soon as an already logged-in admin visits that page, the attacker can add things to the database.

http://en.wikipedia.org/wiki/XSRF

Roland

Attachments (0)

Change History (5)

comment:1 Changed 6 years ago by Simon G <dev@…>

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted
  • Version changed from SVN to newforms-admin

comment:2 follow-up: Changed 6 years ago by brosner

  • Keywords nfa-blocker added

Is this not being caught with the add permission check in both the add view?

comment:3 in reply to: ↑ 2 ; follow-up: Changed 6 years ago by esaj

Replying to brosner:

Is this not being caught with the add permission check in both the add view?

This wouldn't be caught by the add permission check, the only solution is to include some kind of token, e.g. the method used by the CSRF middleware.

comment:4 in reply to: ↑ 3 Changed 6 years ago by Alex

Replying to esaj:

Replying to brosner:

Is this not being caught with the add permission check in both the add view?

This wouldn't be caught by the add permission check, the only solution is to include some kind of token, e.g. the method used by the CSRF middleware.

That's the point of the CSRF middleware though, we just need to make sure that users are using it, because it will protect admin as well as your own stuff.

comment:5 Changed 6 years ago by brosner

  • Keywords nfa-blocker removed
  • Resolution set to wontfix
  • Status changed from new to closed

Ok, this isn't necessarily a problem with the admin itself. As Alex pointed out that is the whole point of the CSRF middleware and the trunk admin is already doing anything to prevent this. If this is a concern in your project then look at http://www.djangoproject.com/documentation/csrf/. Please re-open if I am not right in thinking this isn't an admin specific problem, but please provide more information ;)

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.