On Fri, May 11, 2012 at 10:11 PM, Josh Cartmell <joshcar...@gmail.com>wrote:
> I work a lot with Mezzanine which is a CMS that uses Django. A > security issue was recently revealed where an admin user, lets call > him A, (they can post rich content) could put a cleverly constructed > javascript on a page such that if a superuser, let's call her B, then > visited the page it would elevate A to superuser status (a more > thorough explanation is here: > > http://groups.google.com/group/mezzanine-users/browse_thread/thread/14fde9d8bc71555b/8208a128dbe314e8?lnk=gst&q=security > ). > Apparently any django app which allowed admin users to post arbitrary > html would be vulnerable. > > My first thought was that csrf protection should prevent this but alas > that is not the case. The only real solution found is to restrict > admin users from posting any javascript in their content, unless you > completely trust the admin users. > > My question is are there any other solutions to these sorts of > problems? It seems like allowing an admin user to post javascript is > reasonable, what is unreasonable is for that javascript to be able to > elevate a user's privilege. Could improvements be made to the csrf > mechanism to prevent this sort of user privilege elevation? > > One way to do this would be to have the admin interface on a different subdomain to any user-generated content. Then JS in user-generated content that tries to access the admin interface will be foiled by the same-origin policy. > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to django-users@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
