Description of problem:
The following was reported today to the public (Sept, 2, 2008) via the Django main site:
The Django administration application, as a convenience for users whose sessions expire, will attempt to preserve HTTP POST data from an incoming submission while re-authenticating the user, and will -- on successful authentication -- allow the submission to continue without requiring data to be re-entered.
Django developer Simon Willison has presented the Django development team with a proof-of-concept cross-site request forgery (CSRF) which exploits this behavior to perform unrequested deletion/modification of data. This exploit has been tested and verified by the Django team, and succeeds regardless of whether Django's bundled CSRF-protection module is active.
Version-Release number of selected component (if applicable):
Since I am not aware if the maintainer of the package was given advance notice I'm cc'ing him on this bug.
Michel was listed on the advance notification last week, albeit at a different address; if the address CC'd above is the correct address to use for such notifications, let me know and I'll update our list.
What e-mail address was used for the advance notification? I just checked and could not find the e-mail.
Please use firstname.lastname@example.org or email@example.com -- preferably the former. Thanks.
Working on the new release now.
I had previously received email from michel.salim@gmail and was using that; it never bounced so I'd assumed it was still the correct one; I'll switch to the fedora address for the future.
Django-0.96.3-1.fc9 has been submitted as an update for Fedora 9.
Django-0.96.3-1.fc8 has been submitted as an update for Fedora 8.
CVE id CVE-2008-3909 was assigned to this issue:
The administration application in Django 0.91, 0.95, and 0.96 stores
unauthenticated HTTP POST requests and processes them after successful
authentication occurs, which allows remote attackers to conduct
cross-site request forgery (CSRF) attacks and delete or modify data
via unspecified requests.
Update has been marked stable, but for some reason the bug is not automatically closed; closing now.
Django-0.96.3-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Django-0.96.3-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.