This site is an archive; learn more about 8 years of OpenHatch.

[OH-Dev] [issue1020] django-inplaceedit probably introduces some security holes

ehashman bugs at openhatch.org
Sat Jul 19 20:55:15 UTC 2014 

New submission from ehashman <elana at hashman.ca>:

Asheesh and I are concerned about the POST handler django-inplaceedit provides.
It is possible that it provides arbitrary edit access to the database given the
software's authentication mechanism. See this request sequence: 

[19/Jul/2014 16:45:22] "GET
/inplaceeditform/get_field/?field_name=status&module_name=annotatedbug&app_label=bugsets&can_auto_save=1&obj_id=4&font_size=12.95px&__widget_height=16px&__widget_width=71px
HTTP/1.1" 200 1072
[19/Jul/2014 16:45:26] "POST /inplaceeditform/save/ HTTP/1.1" 200 37

We should make sure that this new egg doesn't allow an attacker to, for
instance, change everyone's username to 'octamarine12345...'

----------
assignedto: paulproteus
keyword: security
messages: 4477
milestone: sooner
nosy: ehashman, paulproteus
priority: bug
status: unread
superseder: "Bug set view" screen for Bug Set Creator
title: django-inplaceedit probably introduces some security holes

__________________________________________
Roundup issue tracker <bugs at openhatch.org>
<https://openhatch.org/bugs/issue1020>
__________________________________________

More information about the Devel mailing list