Improper Privilege Management in liangliangyy/djangoblog


Reported on

Jan 30th 2022


Hi there, I would like to report an improper privilege management vulnerability in djangoblog source code. This would allow an attacker to create comment on behalf of anyone.

Proof of Concept

  1. Install a local instance of djangoblog, login as admin and create an article
  2. Create a new user called user1
  3. Login as user1 and create a comment
  4. Use a tool like Burp Suite to capture the request and repeat it with an empty sessionid, change name and email in body to admin and (the username and email of admin).
  5. See that a new comment is created on behalf of admin user
  6. The reason for this is this block of code in file comments/
        if not self.request.user.is_authenticated:
            email = form.cleaned_data['email']
            username = form.cleaned_data['name']

            user = get_user_model().objects.get_or_create(
                username=username, email=email)[0]
        comment =
        comment.article = article = user

If the user is not authenticated, then email and username is taken from request body and saved as comment author.


This vulnerability is capable of allowing attacker to create comments on behalf of others.

We are processing your report and will contact the liangliangyy/djangoblog team within 24 hours. a year ago
We have contacted a member of the liangliangyy/djangoblog team and are waiting to hear back a year ago
We have sent a follow up to the liangliangyy/djangoblog team. We will try again in 7 days. a year ago
We have sent a second follow up to the liangliangyy/djangoblog team. We will try again in 10 days. a year ago
且听风吟 validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
且听风吟 marked this as fixed in master with commit e37109 a year ago
且听风吟 has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation