Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 198347 - dev-python/django Admin panel Cross-site request forgery (CVE-2007-5828)
Summary: dev-python/django Admin panel Cross-site request forgery (CVE-2007-5828)
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~1 []
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-07 12:35 UTC by Robert Buchholz (RETIRED)
Modified: 2007-11-07 20:43 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 12:35:53 UTC
CVE-2007-5828 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5828):
  Cross-site request forgery (CSRF) vulnerability in the admin panel in Django
  0.96 allows remote attackers to change passwords of arbitrary users via a
  request to admin/auth/user/1/password/.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 12:37:30 UTC
Seemant, are we affected by this?
Comment 2 Seemant Kulleen (RETIRED) gentoo-dev 2007-11-07 20:39:49 UTC
Hi Robert & Security Co.,

This is a non-issue for django.  The person who raised the issue, brought it up to django's upstream and was shown their CSRF middleware to protect against these attacks (documented here:http://www.djangoproject.com/documentation/0.96/csrf/ ).  The reporter even *agreed* with upstream that there was, indeed, no issue.  The reporter then went on to file the CVE.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-11-07 20:43:44 UTC
Closing as INVALID then.

Upstream should notify Mitre if they contest the CVE entry and it will get noted.