subject:"\[Django\] #15845\: CSRF validation leak"

Re: [Django] #15845: CSRF validation leak

2011-04-18 Thread Django

#15845: CSRF validation leak
-+
   Reporter:  Jay   |Owner:  nobody
   Type:  Bug|   Status:  closed
  Milestone: |Component:  contrib.csrf
Version:  1.3| Severity:  Normal
 Resolution:  invalid| Keywords:
   Triage Stage:  Unreviewed |Has patch:  0
Needs documentation:  0  |  Needs tests:  0
Patch needs improvement:  0  |
-+

Old description:

> The CSRF validation compares request.COOKIES[settings.CSRF_COOKIE_NAME]
> and request.POST.get('csrfmiddlewaretoken', '') to see if a request is
> legal. But unfortunately both two values are provided by the client side,
> and they are the same. So it is easy for attackers to fake a request that
> no 403 will be thrown.
>

> The attached project provides one url entry that returns "ok", unless
> CSRF fails. Following cmds show how to cheat.
>
> {{{
> # 200
> curl http://127.0.0.1:8000
>
> # 200
> curl -G -d test=test http://127.0.0.1:8000
>
> # 403
> curl -d test=test http://127.0.0.1:8000
>
> # 200
> curl -d "test=test;csrfmiddlewaretoken=1" -b csrftoken=1
> http://127.0.0.1:8000
> }}}

New description:

 The CSRF validation compares request.COOKIES[settings.CSRF_COOKIE_NAME]
 and request.POST.get('csrfmiddlewaretoken', '') to see if a request is
 legal. But unfortunately both two values are provided by the client side,
 and they are the same. So it is easy for attackers to fake a request that
 no 403 will be thrown.

 The attached project provides one url entry that returns "ok", unless CSRF
 fails. Following cmds show how to cheat.

 {{{
 # 200
 curl http://127.0.0.1:8000

 # 200
 curl -G -d test=test http://127.0.0.1:8000

 # 403
 curl -d test=test http://127.0.0.1:8000

 # 200
 curl -d "test=test;csrfmiddlewaretoken=1" -b csrftoken=1
 http://127.0.0.1:8000
 }}}

--

Comment (by russellm):

 I would also point out that if you even *suspect* that you have found a
 security issue with Django, *DO NOT* report it in Trac. Mail
 secur...@djangoproject.com instead.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #15845: CSRF validation leak

2011-04-18 Thread Django

#15845: CSRF validation leak
-+
   Reporter:  Jay   |Owner:  nobody
   Type:  Bug|   Status:  closed
  Milestone: |Component:  contrib.csrf
Version:  1.3| Severity:  Normal
 Resolution:  invalid| Keywords:
   Triage Stage:  Unreviewed |Has patch:  0
Needs documentation:  0  |  Needs tests:  0
Patch needs improvement:  0  |
-+
Changes (by lukeplant):

 * status:  new => closed
 * needs_docs:   => 0
 * resolution:   => invalid
 * needs_tests:   => 0
 * needs_better_patch:   => 0


Comment:

 This does not result in a CSRF vulnerability. curl is irrelevant - CSRF is
 about browsers being abused.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

[Django] #15845: CSRF validation leak

2011-04-18 Thread Django

#15845: CSRF validation leak
---+-
 Reporter:  Jay   | Owner:  nobody
 Type:  Bug|Status:  new
Milestone: | Component:  contrib.csrf
  Version:  1.3|  Severity:  Normal
 Keywords: |  Triage Stage:  Unreviewed
Has patch:  0  |
---+-
 The CSRF validation compares request.COOKIES[settings.CSRF_COOKIE_NAME]
 and request.POST.get('csrfmiddlewaretoken', '') to see if a request is
 legal. But unfortunately both two values are provided by the client side,
 and they are the same. So it is easy for attackers to fake a request that
 no 403 will be thrown.


 The attached project provides one url entry that returns "ok", unless CSRF
 fails. Following cmds show how to cheat.

 {{{
 # 200
 curl http://127.0.0.1:8000

 # 200
 curl -G -d test=test http://127.0.0.1:8000

 # 403
 curl -d test=test http://127.0.0.1:8000

 # 200
 curl -d "test=test;csrfmiddlewaretoken=1" -b csrftoken=1
 http://127.0.0.1:8000
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #15845: CSRF validation leak

Re: [Django] #15845: CSRF validation leak

[Django] #15845: CSRF validation leak

3 matches

Site Navigation

Mail list logo

Footer information