#15845: CSRF validation leak ---------------------------------------------+---------------------------- Reporter: Jay <jay.shure@…> | Owner: nobody Type: Bug | Status: closed Milestone: | Component: contrib.csrf Version: 1.3 | Severity: Normal Resolution: invalid | Keywords: Triage Stage: Unreviewed | Has patch: 0 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | ---------------------------------------------+----------------------------
Old description: > The CSRF validation compares request.COOKIES[settings.CSRF_COOKIE_NAME] > and request.POST.get('csrfmiddlewaretoken', '') to see if a request is > legal. But unfortunately both two values are provided by the client side, > and they are the same. So it is easy for attackers to fake a request that > no 403 will be thrown. > > The attached project provides one url entry that returns "ok", unless > CSRF fails. Following cmds show how to cheat. > > {{{ > # 200 > curl http://127.0.0.1:8000 > > # 200 > curl -G -d test=test http://127.0.0.1:8000 > > # 403 > curl -d test=test http://127.0.0.1:8000 > > # 200 > curl -d "test=test;csrfmiddlewaretoken=1" -b csrftoken=1 > http://127.0.0.1:8000 > }}} New description: The CSRF validation compares request.COOKIES[settings.CSRF_COOKIE_NAME] and request.POST.get('csrfmiddlewaretoken', '') to see if a request is legal. But unfortunately both two values are provided by the client side, and they are the same. So it is easy for attackers to fake a request that no 403 will be thrown. The attached project provides one url entry that returns "ok", unless CSRF fails. Following cmds show how to cheat. {{{ # 200 curl http://127.0.0.1:8000 # 200 curl -G -d test=test http://127.0.0.1:8000 # 403 curl -d test=test http://127.0.0.1:8000 # 200 curl -d "test=test;csrfmiddlewaretoken=1" -b csrftoken=1 http://127.0.0.1:8000 }}} -- Comment (by russellm): I would also point out that if you even *suspect* that you have found a security issue with Django, *DO NOT* report it in Trac. Mail secur...@djangoproject.com instead. -- Ticket URL: <http://code.djangoproject.com/ticket/15845#comment:2> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.