Re: Admin user privilege elevation (how to prevent it)

I imagine you could prevent this by storing the CSRF token in the user
session rather than directly in a cookie. That way, JS on the site
wouldn't be able to get at it. It looks like at least one project does
this: https://github.com/mozilla/django-session-csrf

_Nik

On 5/11/2012 2:11 PM, Josh Cartmell wrote:
> I work a lot with Mezzanine which is a CMS that uses Django. A
> security issue was recently revealed where an admin user, lets call
> him A, (they can post rich content) could put a cleverly constructed
> javascript on a page such that if a superuser, let's call her B, then
> visited the page it would elevate A to superuser status (a more
> thorough explanation is here:
> http://groups.google.com/group/mezzanine-users/browse_thread/thread/14fde9d8bc71555b/8208a128dbe314e8?lnk=gst&q=security).
> Apparently any django app which allowed admin users to post arbitrary
> html would be vulnerable.
>
> My first thought was that csrf protection should prevent this but alas
> that is not the case. The only real solution found is to restrict
> admin users from posting any javascript in their content, unless you
> completely trust the admin users.
>
> My question is are there any other solutions to these sorts of
> problems? It seems like allowing an admin user to post javascript is
> reasonable, what is unreasonable is for that javascript to be able to
> elevate a user's privilege. Could improvements be made to the csrf
> mechanism to prevent this sort of user privilege elevation?
>

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.