Bug 632239 (CVE-2010-3082) - CVE-2010-3082 Django CSRF flaw
Summary: CVE-2010-3082 Django CSRF flaw
Alias: CVE-2010-3082
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 632240
TreeView+ depends on / blocked
Reported: 2010-09-09 13:43 UTC by Josh Bressers
Modified: 2019-09-29 12:39 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-09-12 11:21:48 UTC

Attachments (Terms of Use)

Description Josh Bressers 2010-09-09 13:43:06 UTC
As of the 1.2 release, the core Django framework includes a system, enabled
by default, for detecting and preventing cross-site request forgery (CSRF)
attacks against Django-powered applications. Previous Django releases
provided a different, optionally-enabled system for the same purpose.

The Django 1.2 CSRF protection system involves the generation of a random
token, inserted as a hidden field in outgoing forms. The same value is also
set in a cookie, and the cookie value and form value are compared on

The provided template tag for inserting the CSRF token into forms -- {%
csrf_token %} -- explicitly trusts the cookie value, and displays it as-is.
Thus, an attacker who is able to tamper with the value of the CSRF cookie
can cause arbitrary content to be inserted, unescaped, into the outgoing
HTML of the form, enabling cross-site scripting (XSS) attacks.

This issue was first reported via a public ticket in Django's Trac
instance; while being triaged it was then independently reported, with
broader description, by Jeff Balogh of Mozilla.


Comment 1 Josh Bressers 2010-09-09 13:43:40 UTC
Created Django tracking bugs for this issue

Affects: fedora-all [bug 632240]

Comment 2 Steve Milner 2010-09-22 14:01:18 UTC
Most all of the updates have made it out -- there was a follow up release which happened while the packages were in testing which pushed the releases out a bit. The only outstanding package is for Fedora 14 which is pending to go to stable.

Note You need to log in before you can comment on or make changes to this bug.