Bug 460966 (CVE-2008-3909) - CVE-2008-3909 Django: CSRF issue fixed in 0.96.3
Summary: CVE-2008-3909 Django: CSRF issue fixed in 0.96.3
Keywords:
Status: CLOSED NEXTRELEASE
Alias: CVE-2008-3909
Product: Fedora
Classification: Fedora
Component: Django
Version: 9
Hardware: All
OS: All
high
high
Target Milestone: ---
Assignee: Michel Lind
QA Contact: Fedora Extras Quality Assurance
URL: http://www.djangoproject.com/weblog/2...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-09-03 00:57 UTC by Steve Milner
Modified: 2008-09-10 06:40 UTC (History)
1 user (show)

Fixed In Version: 0.96.3-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-06 14:38:40 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Steve Milner 2008-09-03 00:57:03 UTC 
Description of problem:
The following was reported today to the public (Sept, 2, 2008) via the Django main site:

The Django administration application, as a convenience for users whose sessions expire, will attempt to preserve HTTP POST data from an incoming submission while re-authenticating the user, and will -- on successful authentication -- allow the submission to continue without requiring data to be re-entered.

Django developer Simon Willison has presented the Django development team with a proof-of-concept cross-site request forgery (CSRF) which exploits this behavior to perform unrequested deletion/modification of data. This exploit has been tested and verified by the Django team, and succeeds regardless of whether Django's bundled CSRF-protection module is active.

Version-Release number of selected component (if applicable):
 Django-0.96.2-1

Extra Info
Since I am not aware if the maintainer of the package was given advance notice I'm cc'ing him on this bug.
Comment 1 James Bennett 2008-09-03 01:14:21 UTC 
Michel was listed on the advance notification last week, albeit at a different address; if the address CC'd above is the correct address to use for such notifications, let me know and I'll update our list.
Comment 2 Michel Lind 2008-09-03 01:43:11 UTC 
What e-mail address was used for the advance notification? I just checked and could not find the e-mail.

Please use salimma or michel.sylvan -- preferably the former. Thanks.

Working on the new release now.
Comment 3 James Bennett 2008-09-03 01:59:22 UTC 
I had previously received email from michel.salim@gmail and was using that; it never bounced so I'd assumed it was still the correct one; I'll switch to the fedora address for the future.
Comment 4 Fedora Update System 2008-09-03 02:26:54 UTC 
Django-0.96.3-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/Django-0.96.3-1.fc9
Comment 5 Fedora Update System 2008-09-03 02:28:45 UTC 
Django-0.96.3-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/Django-0.96.3-1.fc9
Comment 6 Fedora Update System 2008-09-03 02:29:32 UTC 
Django-0.96.3-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/Django-0.96.3-1.fc8
Comment 7 Tomas Hoger 2008-09-04 18:11:58 UTC 
CVE id CVE-2008-3909 was assigned to this issue:

The administration application in Django 0.91, 0.95, and 0.96 stores
unauthenticated HTTP POST requests and processes them after successful
authentication occurs, which allows remote attackers to conduct
cross-site request forgery (CSRF) attacks and delete or modify data
via unspecified requests.
Comment 8 Michel Lind 2008-09-06 14:38:40 UTC 
Update has been marked stable, but for some reason the bug is not automatically closed; closing now.
Comment 9 Fedora Update System 2008-09-10 06:35:46 UTC 
Django-0.96.3-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2008-09-10 06:40:49 UTC 
Django-0.96.3-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.