Description of problem: The following was reported today to the public (Sept, 2, 2008) via the Django main site: The Django administration application, as a convenience for users whose sessions expire, will attempt to preserve HTTP POST data from an incoming submission while re-authenticating the user, and will -- on successful authentication -- allow the submission to continue without requiring data to be re-entered. Django developer Simon Willison has presented the Django development team with a proof-of-concept cross-site request forgery (CSRF) which exploits this behavior to perform unrequested deletion/modification of data. This exploit has been tested and verified by the Django team, and succeeds regardless of whether Django's bundled CSRF-protection module is active. Version-Release number of selected component (if applicable): Django-0.96.2-1 Extra Info Since I am not aware if the maintainer of the package was given advance notice I'm cc'ing him on this bug.
Michel was listed on the advance notification last week, albeit at a different address; if the address CC'd above is the correct address to use for such notifications, let me know and I'll update our list.
What e-mail address was used for the advance notification? I just checked and could not find the e-mail. Please use salimma or michel.sylvan -- preferably the former. Thanks. Working on the new release now.
I had previously received email from michel.salim@gmail and was using that; it never bounced so I'd assumed it was still the correct one; I'll switch to the fedora address for the future.
Django-0.96.3-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/Django-0.96.3-1.fc9
Django-0.96.3-1.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/Django-0.96.3-1.fc8
CVE id CVE-2008-3909 was assigned to this issue: The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests.
Update has been marked stable, but for some reason the bug is not automatically closed; closing now.
Django-0.96.3-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Django-0.96.3-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.