Re: Admin user privilege elevation (how to prevent it)

That is as I feared, thanks for the help Russ.

On May 14, 4:58 pm, Russell Keith-Magee <russ...@keith-magee.com>
wrote:
> On Tue, May 15, 2012 at 5:09 AM, Josh Cartmell <joshcar...@gmail.com> wrote:
> > Thanks for the responses and insight everyone (special thanks to
> > Russel to clarifying what type of attack this is).  I will point this
> > discussion out to the Mezzanine users group and hopefully it will
> > generate some more thought into the matter.
>
> > @Nikolas, you summed up what I was thinking well.  I am wondering if
> > the those two goals of not trusting user content and allowing admins
> > to post rich content are mutually exclusive.
>
> > @John, I like that idea the only problem is that it wouldn't
> > necessarily have to be a superuser, I think anyone with permission to
> > change users who viewed the code could cause the privilegeelevation.
>
> > @jim, I like the idea of putting the admin on a different subdomain
> > although that is not always feasible.
>
> > I don't know if the Django admin uses ajax internally but I wonder if
> > it would be appropriate for there to be a Django setting which would
> > disable posting via ajax to the admin, rendering obsolete this sort of
> > injection, and still allowing admin users to post javascripts?  I'm
> > not sure if it's always possible to reliably differentiate between an
> > ajax vs non-ajax request.
>
> It's only possible to tell the difference between AJAX and non-AJAX
> requests if the request actually identifies itself as an AJAX request
> (usually using the X-REQUESTED-WITH header in the request). Most well
> behaved Javascript frameworks will do this, but attackers won't be
> following the rules. In short, you can't ever trust anything provided
> by the end user, because they can and will find a way to fake any
> value that will get them past security.
>
> Yours,
> Russ Magee %-)

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.