[OH-Dev] [issue1020] django-inplaceedit probably introduces some security holes
ehashman
bugs at openhatch.org
Sat Jul 19 20:55:15 UTC 2014
New submission from ehashman <elana at hashman.ca>:
Asheesh and I are concerned about the POST handler django-inplaceedit provides.
It is possible that it provides arbitrary edit access to the database given the
software's authentication mechanism. See this request sequence:
[19/Jul/2014 16:45:22] "GET
/inplaceeditform/get_field/?field_name=status&module_name=annotatedbug&app_label=bugsets&can_auto_save=1&obj_id=4&font_size=12.95px&__widget_height=16px&__widget_width=71px
HTTP/1.1" 200 1072
[19/Jul/2014 16:45:26] "POST /inplaceeditform/save/ HTTP/1.1" 200 37
We should make sure that this new egg doesn't allow an attacker to, for
instance, change everyone's username to 'octamarine12345...'
----------
assignedto: paulproteus
keyword: security
messages: 4477
milestone: sooner
nosy: ehashman, paulproteus
priority: bug
status: unread
superseder: "Bug set view" screen for Bug Set Creator
title: django-inplaceedit probably introduces some security holes
__________________________________________
Roundup issue tracker <bugs at openhatch.org>
<https://openhatch.org/bugs/issue1020>
__________________________________________
More information about the Devel
mailing list