CVE-2008-3909: CSRF
First published: Wed Sep 03 2008(Updated: )
Description of problem: The following was reported today to the public (Sept, 2, 2008) via the Django main site: The Django administration application, as a convenience for users whose sessions expire, will attempt to preserve HTTP POST data from an incoming submission while re-authenticating the user, and will -- on successful authentication -- allow the submission to continue without requiring data to be re-entered. Django developer Simon Willison has presented the Django development team with a proof-of-concept cross-site request forgery (CSRF) which exploits this behavior to perform unrequested deletion/modification of data. This exploit has been tested and verified by the Django team, and succeeds regardless of whether Django's bundled CSRF-protection module is active. Version-Release number of selected component (if applicable): Django-0.96.2-1 Extra Info Since I am not aware if the maintainer of the package was given advance notice I'm cc'ing him on this bug.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/0.96.3 | <1 | 1 |
| pip/django | >=0.96.0<0.96.3 | 0.96.3 |
| pip/django | >=0.95.0<0.95.4 | 0.95.4 |
| pip/django | >=0.91.0<0.91.3 | 0.91.3 |
| Django | =0.91 | |
| Django | =0.96 | |
| Django | =0.95 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2008/09/03/4
- http://www.djangoproject.com/weblog/2008/sep/02/security/
- http://secunia.com/advisories/31837
- https://bugzilla.redhat.com/show_bug.cgi?id=460966
- https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00091.html
- https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00131.html
- http://www.debian.org/security/2008/dsa-1640
- http://secunia.com/advisories/31961
- http://osvdb.org/47906
- http://www.vupen.com/english/advisories/2008/2533
- http://admin.fedoraproject.org/updates/Django-0.96.3-1.fc9
- http://admin.fedoraproject.org/updates/Django-0.96.3-1.fc8
- https://access.redhat.com/security/cve/CVE-2008-3909
- https://nvd.nist.gov/vuln/detail/CVE-2008-3909
- https://github.com/django/django/commit/44debfeaa4473bd28872c735dd3d9afde6886752
- https://github.com/django/django/commit/7e0972bded362bc4b851c109df2c8a6548481a8e
- https://github.com/django/django/commit/aee48854a164382c655acb9f18b3c06c3d238e81
- http://www.djangoproject.com/weblog/2008/sep/02/security
- https://github.com/advisories/GHSA-r5cj-wv24-92p5 (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2008-2.yaml
- agent/author
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/description
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-3909
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-r5cj-wv24-92p5
- agent/last-modified-date
- agent/severity
- agent/references
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-cve
- source/NVD
- package-manager/redhat
- package-manager/pip
- vendor/django project
- canonical/django
- version/django/0.91
- version/django/0.96
- version/django/0.95