Exposure of Sensitive Information to an Unauthorized Actor in tl-its-umich-edu/my-learning-analytics

Valid

Reported on

May 23rd 2021


✍️ Description

Django secret key is exposed into the Dockerfile. This is used to sign JSON objects, create hashes and generate CSRF tokens.

🕵️‍♂️ Proof of Concept

https://stackoverflow.com/questions/15170637/effects-of-changing-djangos-secret-key/15383766?noredirect=1#comment21743494_15383766

💥 Impact

Attacker will be able to forge JSON objects and create CSRF tokens by following this approach. The secure alternative would be to use an environment variable to store the secret.

Code
6 months ago

Thanks! The DJANGO_SECRET_KEY in this Dockerfile context is only used so collectstatic can run. A secret key is required to be provided through the configuration file while the app is running. Whether this is hardcoded or random won't make a difference here and the PoC isn't relevant.

Code
5 months ago

Even though this doesn't seem like it's an high priority issue, we're not 100% sure so researched and resolved this. Thanks for the issue and notification!

Code Hugger (Matthew Jones) validated this vulnerability 5 months ago
novik8989 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome validated this vulnerability 5 months ago
novik8989 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome
5 months ago

Admin


Re-validated as the previous validation failed.

Jamie Slome
5 months ago

Admin


@Code Hugger, feel free to confirm fix once you have patched on your repository. Have a great day all! 🎉

Michael Rowley
5 months ago

It looks like this vulnerability was validated and awarded twice?

Jamie Slome
5 months ago

Admin


Just a visual bug!

Code Hugger (Matthew Jones) confirmed that a fix has been merged on 0ab3c2 5 months ago
The fix bounty has been dropped