Improper Privilege Management in liangliangyy/djangoblog
Valid
Reported on
Jan 30th 2022
Description
Hi there, I would like to report an improper privilege management vulnerability in djangoblog source code. This would allow an attacker to create comment on behalf of anyone.
Proof of Concept
- Install a local instance of djangoblog, login as admin and create an article
- Create a new user called
user1 - Login as user1 and create a comment
- Use a tool like Burp Suite to capture the request and repeat it with an empty sessionid, change
nameandemailin body toadminandadmin@gmail.com(the username and email of admin). - See that a new comment is created on behalf of admin user
- The reason for this is this block of code in file comments/views.py
if not self.request.user.is_authenticated:
email = form.cleaned_data['email']
username = form.cleaned_data['name']
user = get_user_model().objects.get_or_create(
username=username, email=email)[0]
comment = form.save(False)
comment.article = article
comment.author = user
If the user is not authenticated, then email and username is taken from request body and saved as comment author.
Impact
This vulnerability is capable of allowing attacker to create comments on behalf of others.
We are processing your report and will contact the
liangliangyy/djangoblog
team within 24 hours.
a year ago
We have contacted a member of the
liangliangyy/djangoblog
team and are waiting to hear back
a year ago
We have sent a
follow up to the
liangliangyy/djangoblog
team.
We will try again in 7 days.
a year ago
We have sent a
second
follow up to the
liangliangyy/djangoblog
team.
We will try again in 10 days.
a year ago
to join this conversation