I work a lot with Mezzanine which is a CMS that uses Django. A security issue was recently revealed where an admin user, lets call him A, (they can post rich content) could put a cleverly constructed javascript on a page such that if a superuser, let's call her B, then visited the page it would elevate A to superuser status (a more thorough explanation is here: http://groups.google.com/group/mezzanine-users/browse_thread/thread/14fde9d8bc71555b/8208a128dbe314e8?lnk=gst&q=security). Apparently any django app which allowed admin users to post arbitrary html would be vulnerable.
My first thought was that csrf protection should prevent this but alas that is not the case. The only real solution found is to restrict admin users from posting any javascript in their content, unless you completely trust the admin users. My question is are there any other solutions to these sorts of problems? It seems like allowing an admin user to post javascript is reasonable, what is unreasonable is for that javascript to be able to elevate a user's privilege. Could improvements be made to the csrf mechanism to prevent this sort of user privilege elevation? -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
