Bug 632239 (CVE-2010-3082)

Summary: CVE-2010-3082 Django CSRF flaw
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dmalcolm, michel, smilner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-12 11:21:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 632240    
Bug Blocks:    

Description Josh Bressers 2010-09-09 13:43:06 UTC
As of the 1.2 release, the core Django framework includes a system, enabled
by default, for detecting and preventing cross-site request forgery (CSRF)
attacks against Django-powered applications. Previous Django releases
provided a different, optionally-enabled system for the same purpose.

The Django 1.2 CSRF protection system involves the generation of a random
token, inserted as a hidden field in outgoing forms. The same value is also
set in a cookie, and the cookie value and form value are compared on

The provided template tag for inserting the CSRF token into forms -- {%
csrf_token %} -- explicitly trusts the cookie value, and displays it as-is.
Thus, an attacker who is able to tamper with the value of the CSRF cookie
can cause arbitrary content to be inserted, unescaped, into the outgoing
HTML of the form, enabling cross-site scripting (XSS) attacks.

This issue was first reported via a public ticket in Django's Trac
instance; while being triaged it was then independently reported, with
broader description, by Jeff Balogh of Mozilla.


Comment 1 Josh Bressers 2010-09-09 13:43:40 UTC
Created Django tracking bugs for this issue

Affects: fedora-all [bug 632240]

Comment 2 Steve Milner 2010-09-22 14:01:18 UTC
Most all of the updates have made it out -- there was a follow up release which happened while the packages were in testing which pushed the releases out a bit. The only outstanding package is for Fedora 14 which is pending to go to stable.