Improper Privilege Management in liangliangyy/djangoblog

Valid

Reported on

Jan 30th 2022


Description

Hi there, I would like to report an improper privilege management vulnerability in djangoblog source code. This would allow an attacker to create comment on behalf of anyone.

Proof of Concept

  1. Install a local instance of djangoblog, login as admin and create an article
  2. Create a new user called user1
  3. Login as user1 and create a comment
  4. Use a tool like Burp Suite to capture the request and repeat it with an empty sessionid, change name and email in body to admin and admin@gmail.com (the username and email of admin).
  5. See that a new comment is created on behalf of admin user
  6. The reason for this is this block of code in file comments/views.py
        if not self.request.user.is_authenticated:
            email = form.cleaned_data['email']
            username = form.cleaned_data['name']

            user = get_user_model().objects.get_or_create(
                username=username, email=email)[0]
        comment = form.save(False)
        comment.article = article

        comment.author = user

If the user is not authenticated, then email and username is taken from request body and saved as comment author.

Impact

This vulnerability is capable of allowing attacker to create comments on behalf of others.

We are processing your report and will contact the liangliangyy/djangoblog team within 24 hours. 4 months ago
We have contacted a member of the liangliangyy/djangoblog team and are waiting to hear back 4 months ago
We have sent a follow up to the liangliangyy/djangoblog team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the liangliangyy/djangoblog team. We will try again in 10 days. 4 months ago
且听风吟 validated this vulnerability 4 months ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
且听风吟 confirmed that a fix has been merged on e37109 4 months ago
且听风吟 has been awarded the fix bounty
to join this conversation