Bug 460966 (CVE-2008-3909)

Summary: CVE-2008-3909 Django: CSRF issue fixed in 0.96.3
Product: [Fedora] Fedora Reporter: Steve Milner <smilner>
Component: DjangoAssignee: Michel Lind <michel>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 9CC: james
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: All   
URL: http://www.djangoproject.com/weblog/2008/sep/02/security/
Whiteboard:
Fixed In Version: 0.96.3-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-06 14:38:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steve Milner 2008-09-03 00:57:03 UTC 
Description of problem:
The following was reported today to the public (Sept, 2, 2008) via the Django main site:

The Django administration application, as a convenience for users whose sessions expire, will attempt to preserve HTTP POST data from an incoming submission while re-authenticating the user, and will -- on successful authentication -- allow the submission to continue without requiring data to be re-entered.

Django developer Simon Willison has presented the Django development team with a proof-of-concept cross-site request forgery (CSRF) which exploits this behavior to perform unrequested deletion/modification of data. This exploit has been tested and verified by the Django team, and succeeds regardless of whether Django's bundled CSRF-protection module is active.

Version-Release number of selected component (if applicable):
 Django-0.96.2-1

Extra Info
Since I am not aware if the maintainer of the package was given advance notice I'm cc'ing him on this bug.
Comment 1 James Bennett 2008-09-03 01:14:21 UTC 
Michel was listed on the advance notification last week, albeit at a different address; if the address CC'd above is the correct address to use for such notifications, let me know and I'll update our list.
Comment 2 Michel Lind 2008-09-03 01:43:11 UTC 
What e-mail address was used for the advance notification? I just checked and could not find the e-mail.

Please use salimma or michel.sylvan -- preferably the former. Thanks.

Working on the new release now.
Comment 3 James Bennett 2008-09-03 01:59:22 UTC 
I had previously received email from michel.salim@gmail and was using that; it never bounced so I'd assumed it was still the correct one; I'll switch to the fedora address for the future.
Comment 4 Fedora Update System 2008-09-03 02:26:54 UTC 
Django-0.96.3-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/Django-0.96.3-1.fc9
Comment 5 Fedora Update System 2008-09-03 02:28:45 UTC 
Django-0.96.3-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/Django-0.96.3-1.fc9
Comment 6 Fedora Update System 2008-09-03 02:29:32 UTC 
Django-0.96.3-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/Django-0.96.3-1.fc8
Comment 7 Tomas Hoger 2008-09-04 18:11:58 UTC 
CVE id CVE-2008-3909 was assigned to this issue:

The administration application in Django 0.91, 0.95, and 0.96 stores
unauthenticated HTTP POST requests and processes them after successful
authentication occurs, which allows remote attackers to conduct
cross-site request forgery (CSRF) attacks and delete or modify data
via unspecified requests.
Comment 8 Michel Lind 2008-09-06 14:38:40 UTC 
Update has been marked stable, but for some reason the bug is not automatically closed; closing now.
Comment 9 Fedora Update System 2008-09-10 06:35:46 UTC 
Django-0.96.3-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2008-09-10 06:40:49 UTC 
Django-0.96.3-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.