Django sites that run the built-in admin site prior to r15639 are vulnerable to user enumeration. The Django team was notified and corrected this in SVN revision 15639. Details here: http://code.djangoproject.com/changeset/15639. By specifying a content type id of 3 and enumerating object IDs beginning with 1, the view responds with redirects containing usernames (ex: /admin/r/3/[USERID]/). No authentication is required to exploit this vulnerability.
Django sites should either upgrade to the latest SVN or manually modify django/trunk/django/contrib/admin/sites.py changing:
url(r'^r/(?P<content_type_id>\d+)/(?P<object_id>.+)/$', 'django.views.defaults.shortcut'),
to
url(r'^r/(?P<content_type_id>\d+)/(?P<object_id>.+)/$', wrap(contenttype_views.shortcut)),
Better still, bind the admin site to 127.0.0.1 and access it over SSH.
0 comments:
Post a Comment