Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 198347

Summary: dev-python/django Admin panel Cross-site request forgery (CVE-2007-5828)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: trivial CC: python, seemant
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~1 []
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 12:35:53 UTC 
CVE-2007-5828 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5828):
  Cross-site request forgery (CSRF) vulnerability in the admin panel in Django
  0.96 allows remote attackers to change passwords of arbitrary users via a
  request to admin/auth/user/1/password/.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 12:37:30 UTC 
Seemant, are we affected by this?
Comment 2 Seemant Kulleen (RETIRED) gentoo-dev 2007-11-07 20:39:49 UTC 
Hi Robert & Security Co.,

This is a non-issue for django.  The person who raised the issue, brought it up to django's upstream and was shown their CSRF middleware to protect against these attacks (documented here:http://www.djangoproject.com/documentation/0.96/csrf/ ).  The reporter even *agreed* with upstream that there was, indeed, no issue.  The reporter then went on to file the CVE.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-11-07 20:43:44 UTC 
Closing as INVALID then.

Upstream should notify Mitre if they contest the CVE entry and it will get noted.