Closed Bug 591034 Opened 15 years ago Closed 15 years ago

Escaping Needed to Prevent Stored XSS via Django's CSRF Token

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: mcoates, Unassigned)

References

(
URL
)

Details

(Keywords: wsec-xss, Whiteboard: [infrasec:xss])

Issue Django's CSRF defense contains a flaw which allows cross site scripting attacks via the CSRF cookie. This issue is being tracked by django here: http://code.djangoproject.com/ticket/14032. This attack could be launched from a subdomain or from a man in the middle attack via cookie forcing. This would allow an attacker to inject a stored XSS attack within the victim's browser. The XSS would fire anytime the victim visits a form using DJANGO's csrf controls within a valid domain for the infected cookie. Recommended Resolution This is a publicly disclosed XSS vulnerability and will need to be resolved on our end as soon as possible. The recommended solution is to modify all uses of django's CSRF defense and remove the "safe" flag. This will ensure that DJANGO safely displays the CSRF token within the HTTP response. Note: The attacker does not need access to the django components in order to launch this attack. Once the victim's cookie is infected the attack will launch whenever the victim access the page. Therefore, restricted pages, such as those protected by LDAP auth, or equally vulnerable to attack.
Was pushed, but bugs were never closed
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Verified in prod.
Status: RESOLVED → VERIFIED
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
You need to log in before you can comment on or make changes to this bug.