That is as I feared, thanks for the help Russ. On May 14, 4:58 pm, Russell Keith-Magee <russ...@keith-magee.com> wrote: > On Tue, May 15, 2012 at 5:09 AM, Josh Cartmell <joshcar...@gmail.com> wrote: > > Thanks for the responses and insight everyone (special thanks to > > Russel to clarifying what type of attack this is). I will point this > > discussion out to the Mezzanine users group and hopefully it will > > generate some more thought into the matter. > > > @Nikolas, you summed up what I was thinking well. I am wondering if > > the those two goals of not trusting user content and allowing admins > > to post rich content are mutually exclusive. > > > @John, I like that idea the only problem is that it wouldn't > > necessarily have to be a superuser, I think anyone with permission to > > change users who viewed the code could cause the privilegeelevation. > > > @jim, I like the idea of putting the admin on a different subdomain > > although that is not always feasible. > > > I don't know if the Django admin uses ajax internally but I wonder if > > it would be appropriate for there to be a Django setting which would > > disable posting via ajax to the admin, rendering obsolete this sort of > > injection, and still allowing admin users to post javascripts? I'm > > not sure if it's always possible to reliably differentiate between an > > ajax vs non-ajax request. > > It's only possible to tell the difference between AJAX and non-AJAX > requests if the request actually identifies itself as an AJAX request > (usually using the X-REQUESTED-WITH header in the request). Most well > behaved Javascript frameworks will do this, but attackers won't be > following the rules. In short, you can't ever trust anything provided > by the end user, because they can and will find a way to fake any > value that will get them past security. > > Yours, > Russ Magee %-)
-- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
