Re: [Django] #15845: CSRF validation leak

Mon, 18 Apr 2011 17:27:46 -0700 

#15845: CSRF validation leak
---------------------------------------------+----------------------------
               Reporter:  Jay <jay.shure@…>  |        Owner:  nobody
                   Type:  Bug                |       Status:  closed
              Milestone:                     |    Component:  contrib.csrf
                Version:  1.3                |     Severity:  Normal
             Resolution:  invalid            |     Keywords:
           Triage Stage:  Unreviewed         |    Has patch:  0
    Needs documentation:  0                  |  Needs tests:  0
Patch needs improvement:  0                  |
---------------------------------------------+----------------------------

Old description:

> The CSRF validation compares request.COOKIES[settings.CSRF_COOKIE_NAME]
> and request.POST.get('csrfmiddlewaretoken', '') to see if a request is
> legal. But unfortunately both two values are provided by the client side,
> and they are the same. So it is easy for attackers to fake a request that
> no 403 will be thrown.
>

> The attached project provides one url entry that returns "ok", unless
> CSRF fails. Following cmds show how to cheat.
>
> {{{
> # 200
> curl http://127.0.0.1:8000
>
> # 200
> curl -G -d test=test http://127.0.0.1:8000
>
> # 403
> curl -d test=test http://127.0.0.1:8000
>
> # 200
> curl -d "test=test;csrfmiddlewaretoken=1" -b csrftoken=1
> http://127.0.0.1:8000
> }}}

New description:

 The CSRF validation compares request.COOKIES[settings.CSRF_COOKIE_NAME]
 and request.POST.get('csrfmiddlewaretoken', '') to see if a request is
 legal. But unfortunately both two values are provided by the client side,
 and they are the same. So it is easy for attackers to fake a request that
 no 403 will be thrown.

 The attached project provides one url entry that returns "ok", unless CSRF
 fails. Following cmds show how to cheat.

 {{{
 # 200
 curl http://127.0.0.1:8000

 # 200
 curl -G -d test=test http://127.0.0.1:8000

 # 403
 curl -d test=test http://127.0.0.1:8000

 # 200
 curl -d "test=test;csrfmiddlewaretoken=1" -b csrftoken=1
 http://127.0.0.1:8000
 }}}

--

Comment (by russellm):

 I would also point out that if you even *suspect* that you have found a
 security issue with Django, *DO NOT* report it in Trac. Mail
 secur...@djangoproject.com instead.

-- 
Ticket URL: <http://code.djangoproject.com/ticket/15845#comment:2>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to