Improper Privilege Management in liangliangyy/djangoblog
Jan 30th 2022
Hi there, I would like to report an improper privilege management vulnerability in djangoblog source code. This would allow an attacker to create comment on behalf of anyone.
Proof of Concept
- Install a local instance of djangoblog, login as admin and create an article
- Create a new user called
- Login as user1 and create a comment
- Use a tool like Burp Suite to capture the request and repeat it with an empty sessionid, change
email@example.com(the username and email of admin).
- See that a new comment is created on behalf of admin user
- The reason for this is this block of code in file comments/views.py
if not self.request.user.is_authenticated: email = form.cleaned_data['email'] username = form.cleaned_data['name'] user = get_user_model().objects.get_or_create( username=username, email=email) comment = form.save(False) comment.article = article comment.author = user
If the user is not authenticated, then email and username is taken from request body and saved as comment author.
This vulnerability is capable of allowing attacker to create comments on behalf of others.