#5879: Session riding vulnerability in the admin app --------------------------------+------------------------------------------- Reporter: [EMAIL PROTECTED] | Owner: nobody Status: new | Component: Admin interface Version: SVN | Keywords: Stage: Unreviewed | Has_patch: 0 --------------------------------+------------------------------------------- Everything that is needed to submit an HTML form like on http://127.0.0.1:8000/admin/*/*/add/ can be guessed by an attacker. Therefore, the necessary data may be included in an external web page, and as soon as an already logged-in admin visits that page, the attacker can add things to the database.
http://en.wikipedia.org/wiki/XSRF Roland -- Ticket URL: <http://code.djangoproject.com/ticket/5879> Django Code <http://code.djangoproject.com/> The web framework for perfectionists with deadlines --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-updates?hl=en -~----------~----~----~----~------~----~------~--~---
