Re: Admin user privilege elevation (how to prevent it)

On Tue, May 15, 2012 at 5:09 AM, Josh Cartmell <joshcartme@gmail.com> wrote:
> Thanks for the responses and insight everyone (special thanks to
> Russel to clarifying what type of attack this is).  I will point this
> discussion out to the Mezzanine users group and hopefully it will
> generate some more thought into the matter.
>
> @Nikolas, you summed up what I was thinking well.  I am wondering if
> the those two goals of not trusting user content and allowing admins
> to post rich content are mutually exclusive.
>
> @John, I like that idea the only problem is that it wouldn't
> necessarily have to be a superuser, I think anyone with permission to
> change users who viewed the code could cause the privilege elevation.
>
> @jim, I like the idea of putting the admin on a different subdomain
> although that is not always feasible.
>
> I don't know if the Django admin uses ajax internally but I wonder if
> it would be appropriate for there to be a Django setting which would
> disable posting via ajax to the admin, rendering obsolete this sort of
> injection, and still allowing admin users to post javascripts?  I'm
> not sure if it's always possible to reliably differentiate between an
> ajax vs non-ajax request.

It's only possible to tell the difference between AJAX and non-AJAX
requests if the request actually identifies itself as an AJAX request
(usually using the X-REQUESTED-WITH header in the request). Most well
behaved Javascript frameworks will do this, but attackers won't be
following the rules. In short, you can't ever trust anything provided
by the end user, because they can and will find a way to fake any
value that will get them past security.

Yours,
Russ Magee %-)

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.