Re: Admin user privilege elevation (how to prevent it)

On Tue, May 15, 2012 at 8:59 AM, Stephen McDonald wrote: > Stephen from Mezzanine here - thanks for the thorough response Russ. > > The cleansing process we go through is very rigorous - we're leaning > on the shoulders of tools that have solved this problem (in our case >

Re: Admin user privilege elevation (how to prevent it)

Stephen from Mezzanine here - thanks for the thorough response Russ. The cleansing process we go through is very rigorous - we're leaning on the shoulders of tools that have solved this problem (in our case the bleach library). It uses a white-list of tags and attributes, so all those tricky edge

Re: Admin user privilege elevation (how to prevent it)

That is as I feared, thanks for the help Russ. On May 14, 4:58 pm, Russell Keith-Magee wrote: > On Tue, May 15, 2012 at 5:09 AM, Josh Cartmell wrote: > > Thanks for the responses and insight everyone (special thanks to > > Russel to clarifying what

Re: Admin user privilege elevation (how to prevent it)

On Tue, May 15, 2012 at 5:09 AM, Josh Cartmell wrote: > Thanks for the responses and insight everyone (special thanks to > Russel to clarifying what type of attack this is).  I will point this > discussion out to the Mezzanine users group and hopefully it will > generate

Re: Admin user privilege elevation (how to prevent it)

Thanks for the responses and insight everyone (special thanks to Russel to clarifying what type of attack this is). I will point this discussion out to the Mezzanine users group and hopefully it will generate some more thought into the matter. @Nikolas, you summed up what I was thinking well. I

Re: Admin user privilege elevation (how to prevent it)

On Fri, May 11, 2012 at 10:11 PM, Josh Cartmell wrote: > I work a lot with Mezzanine which is a CMS that uses Django. A > security issue was recently revealed where an admin user, lets call > him A, (they can post rich content) could put a cleverly constructed > javascript

Re: Admin user privilege elevation (how to prevent it)

I know nothing about mezzanine, but if you have access to the view functions, then perhaps you can use a construct along the lines of: |def view_function(request):| | if request.user.is_superuser:| |return HttpResponse404() # Or perhaps render the view treating all data as unsafe...| |

Re: Admin user privilege elevation (how to prevent it)

The issue here is that Josh wants to allow certain users (admins) to create content with tags, but ensure that said users can't use JavaScript to gain superuser status or otherwise monkey with things they shouldn't. So while the "don't trust user content" approach is a good default, I don't think

Re: Admin user privilege elevation (how to prevent it)

On Sat, May 12, 2012 at 5:11 AM, Josh Cartmell wrote: > I work a lot with Mezzanine which is a CMS that uses Django.  A > security issue was recently revealed where an admin user, lets call > him A, (they can post rich content) could put a cleverly constructed > javascript

Re: Admin user privilege elevation (how to prevent it)

I imagine you could prevent this by storing the CSRF token in the user session rather than directly in a cookie. That way, JS on the site wouldn't be able to get at it. It looks like at least one project does this: https://github.com/mozilla/django-session-csrf _Nik On 5/11/2012 2:11 PM, Josh

Admin user privilege elevation (how to prevent it)

I work a lot with Mezzanine which is a CMS that uses Django. A security issue was recently revealed where an admin user, lets call him A, (they can post rich content) could put a cleverly constructed javascript on a page such that if a superuser, let's call her B, then visited the page it would