I imagine you could prevent this by storing the CSRF token in the user session rather than directly in a cookie. That way, JS on the site wouldn't be able to get at it. It looks like at least one project does this: https://github.com/mozilla/django-session-csrf
_Nik On 5/11/2012 2:11 PM, Josh Cartmell wrote: > I work a lot with Mezzanine which is a CMS that uses Django. A > security issue was recently revealed where an admin user, lets call > him A, (they can post rich content) could put a cleverly constructed > javascript on a page such that if a superuser, let's call her B, then > visited the page it would elevate A to superuser status (a more > thorough explanation is here: > http://groups.google.com/group/mezzanine-users/browse_thread/thread/14fde9d8bc71555b/8208a128dbe314e8?lnk=gst&q=security). > Apparently any django app which allowed admin users to post arbitrary > html would be vulnerable. > > My first thought was that csrf protection should prevent this but alas > that is not the case. The only real solution found is to restrict > admin users from posting any javascript in their content, unless you > completely trust the admin users. > > My question is are there any other solutions to these sorts of > problems? It seems like allowing an admin user to post javascript is > reasonable, what is unreasonable is for that javascript to be able to > elevate a user's privilege. Could improvements be made to the csrf > mechanism to prevent this sort of user privilege elevation? > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
