Bug 379641 - (CVE-2007-5828) CVE-2007-5828 Django admin panel CSFR
CVE-2007-5828 Django admin panel CSFR
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=cve,reported=20071105,public=2...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-13 05:28 EST by Tomas Hoger
Modified: 2008-01-15 04:53 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-11 18:15:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2007-11-13 05:28:40 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5828 to the following vulnerability:

Cross-site request forgery (CSRF) vulnerability in the admin panel in Django 0.96 allows remote attackers to change passwords of arbitrary users via a request to admin/auth/user/1/password/.

References:

http://www.securityfocus.com/archive/1/archive/1/482983/100/0/threaded
Comment 1 Tomas Hoger 2007-11-13 05:42:26 EST
Validity of this issue is being discussed even by Django upstream developers,
they do not all share the same view of the issue:

http://groups.google.com/group/django-developers/browse_thread/thread/1ea43b6adbcaf7fc/8f0796d4843f7463#8f0796d4843f7463
http://bugs.gentoo.org/show_bug.cgi?id=198347

Reporter's mail informs that application using Django may be prone to CSRF
vulnerabilities, which should be "easy" to fix by using Django's CSRF protection
middleware as described here:

http://www.djangoproject.com/documentation/csrf/

Django's admin panel should be affected by CSRF problem too.  Moreover,
discussion referenced above suggests that enabling CsrfMiddleware may break
admin panel.

Michel, can you please advice here?  It any fix needed / possible for Fedora
Django packages?  Thanks!
Comment 2 Michel Alexandre Salim 2008-01-11 18:15:36 EST
Any deployed application should have the admin interface disabled, or restricted
to trusted hosts only, so this is probably best left to upstream to deal with.

The discussion has gone quiet upstream; I'm not sure we need to do anything
here. Noting that Gentoo also closes the bug as invalid.
Comment 3 Tomas Hoger 2008-01-15 04:53:25 EST
(In reply to comment #2)
> Any deployed application should have the admin interface disabled, or 
> restricted to trusted hosts only, so this is probably best left to upstream
> to deal with.

As this was reported as CSRF attack, access restricted to trusted hosts only
does not qualify as the counter-measure.

> The discussion has gone quiet upstream; I'm not sure we need to do anything
> here. Noting that Gentoo also closes the bug as invalid.

Their reason for closing as invalid is not 100% correct imho.  Part of the
report was that admin panel does not use CSRF middleware, so I'd say this still
qualifies as CSRF issue again Django.  But yes, this should probably be dealt
with by upstream.

Note You need to log in before you can comment on or make changes to this bug.