Red Hat Bugzilla – Bug 379641
CVE-2007-5828 Django admin panel CSFR
Last modified: 2008-01-15 04:53:25 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5828 to the following vulnerability:
Cross-site request forgery (CSRF) vulnerability in the admin panel in Django 0.96 allows remote attackers to change passwords of arbitrary users via a request to admin/auth/user/1/password/.
Validity of this issue is being discussed even by Django upstream developers,
they do not all share the same view of the issue:
Reporter's mail informs that application using Django may be prone to CSRF
vulnerabilities, which should be "easy" to fix by using Django's CSRF protection
middleware as described here:
Django's admin panel should be affected by CSRF problem too. Moreover,
discussion referenced above suggests that enabling CsrfMiddleware may break
Michel, can you please advice here? It any fix needed / possible for Fedora
Django packages? Thanks!
Any deployed application should have the admin interface disabled, or restricted
to trusted hosts only, so this is probably best left to upstream to deal with.
The discussion has gone quiet upstream; I'm not sure we need to do anything
here. Noting that Gentoo also closes the bug as invalid.
(In reply to comment #2)
> Any deployed application should have the admin interface disabled, or
> restricted to trusted hosts only, so this is probably best left to upstream
> to deal with.
As this was reported as CSRF attack, access restricted to trusted hosts only
does not qualify as the counter-measure.
> The discussion has gone quiet upstream; I'm not sure we need to do anything
> here. Noting that Gentoo also closes the bug as invalid.
Their reason for closing as invalid is not 100% correct imho. Part of the
report was that admin panel does not use CSRF middleware, so I'd say this still
qualifies as CSRF issue again Django. But yes, this should probably be dealt
with by upstream.