oss-sec mailing list archives

Re: django CSRF vuln

From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 4 Sep 2008 12:48:38 -0400 (EDT)


======================================================
Name: CVE-2008-3909
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3909
Reference: MLIST:[oss-security] 20080903 django CSRF vuln
Reference: URL:http://www.openwall.com/lists/oss-security/2008/09/03/4
Reference: CONFIRM:http://www.djangoproject.com/weblog/2008/sep/02/security/

The administration application in Django 0.91, 0.95, and 0.96 stores
unauthenticated HTTP POST requests and processes them after successful
authentication occurs, which allows remote attackers to conduct
cross-site request forgery (CSRF) attacks and delete or modify data
via unspecified requests.

Current thread:

django CSRF vuln Vincent Danen (Sep 03)
- Re: django CSRF vuln Steven M. Christey (Sep 04)