oss-sec mailing list archives
Re: django CSRF vuln
From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 4 Sep 2008 12:48:38 -0400 (EDT)
====================================================== Name: CVE-2008-3909 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3909 Reference: MLIST:[oss-security] 20080903 django CSRF vuln Reference: URL:http://www.openwall.com/lists/oss-security/2008/09/03/4 Reference: CONFIRM:http://www.djangoproject.com/weblog/2008/sep/02/security/ The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests.
Current thread:
- django CSRF vuln Vincent Danen (Sep 03)
- Re: django CSRF vuln Steven M. Christey (Sep 04)