Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5828 to the following vulnerability: Cross-site request forgery (CSRF) vulnerability in the admin panel in Django 0.96 allows remote attackers to change passwords of arbitrary users via a request to admin/auth/user/1/password/. References: http://www.securityfocus.com/archive/1/archive/1/482983/100/0/threaded
Validity of this issue is being discussed even by Django upstream developers, they do not all share the same view of the issue: http://groups.google.com/group/django-developers/browse_thread/thread/1ea43b6adbcaf7fc/8f0796d4843f7463#8f0796d4843f7463 http://bugs.gentoo.org/show_bug.cgi?id=198347 Reporter's mail informs that application using Django may be prone to CSRF vulnerabilities, which should be "easy" to fix by using Django's CSRF protection middleware as described here: http://www.djangoproject.com/documentation/csrf/ Django's admin panel should be affected by CSRF problem too. Moreover, discussion referenced above suggests that enabling CsrfMiddleware may break admin panel. Michel, can you please advice here? It any fix needed / possible for Fedora Django packages? Thanks!
Any deployed application should have the admin interface disabled, or restricted to trusted hosts only, so this is probably best left to upstream to deal with. The discussion has gone quiet upstream; I'm not sure we need to do anything here. Noting that Gentoo also closes the bug as invalid.
(In reply to comment #2) > Any deployed application should have the admin interface disabled, or > restricted to trusted hosts only, so this is probably best left to upstream > to deal with. As this was reported as CSRF attack, access restricted to trusted hosts only does not qualify as the counter-measure. > The discussion has gone quiet upstream; I'm not sure we need to do anything > here. Noting that Gentoo also closes the bug as invalid. Their reason for closing as invalid is not 100% correct imho. Part of the report was that admin panel does not use CSRF middleware, so I'd say this still qualifies as CSRF issue again Django. But yes, this should probably be dealt with by upstream.