[Openstack-security] Fwd: [Full-disclosure] [Django] Cookie-based session storage session invalidation issue

Kurt Seifried kseifried at redhat.com
Fri Oct 4 01:11:55 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/02/2013 03:09 AM, Jeffrey Walton wrote:
> Not sure if this made anyone's radar....
> 
> (I'm not sure about the 1.7 version, though).
> 
> ---------- Forwarded message ---------- From: G. S. McNamara
> <main at gsmcnamara.com> Date: Tue, Oct 1, 2013 at 4:20 PM Subject:
> [Full-disclosure] [Django] Cookie-based session storage session
> invalidation issue To: full-disclosure at lists.grok.org.uk
> 
> FD,
> 
> I’m back!
> 
> Django versions 1.4 – 1.7 offer a cookie-based session storage
> option (not the default this time) that is afflicted by the same
> issue I posted about previously concerning Ruby on Rails:
> 
> If you obtain a user’s cookie, even if they log out, you can still
> log in as them.
> 
> The short write-up is here, if needed: 
> http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/
>
>  Cheers,
> 
> G. S. McNamara

Sounds like this needs a CVE? Has one been requested from Mitre? If
not I can assign it.

https://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSThXbAAoJEBYNRVNeJnmTeGMQAI4jnGSqKxP0vC1nPj4WAYyl
leYsGVX/SmZ1LX7s0KNbmbuN9ERcA5zT7ua7J0osMuPnhkODb7z/dhWuYnZARDIn
nVEaLJyBa6Bu7rcsasgFmuHk4BvXwnEY0ngH/i3Dz/jIxrP3atSr8uaQW8fdVtP1
FkVKx+NDaqEuHjJTpy8snO0UYPj9ZE/gS2Hs9ydyIRyeMGrSspdsnrzI7bxaMejq
pMcu41fH7kZZ3tseUyhc+oBzOzHDlWHYVuJJL/DCuk64RMOPGrp7zyLBoDF3U3gm
u5C85OoIpTCl5XuOE2LLO2kotfCnP2PfUdMm+KdzS9tpTkMtOc6KJFjn6MeohYKN
/TxT+m1rQqEmipxMbFgXc6pulZSEUWEnhy599960aoSmKUPN1Ss9sXK4ARwkfaeA
04L5JLcwocc3g0uHhNayx29ilF3Jsj97SBHUEiaqoe4dBTKumFdv14b61nAJknYd
PA3pCq9/3j1R5r+kDK9lffPjeycL/gaqHoXTH3sTdwExFeuBTPXC0kEeqH/GngWD
U60cSGkr+LVH2z2AF5qRyEjGPOR0QFuE4zo072L+5fFavftgMvLvukkAXTTz/V6C
9ljGyTJ+nA02NKKylAAP7hLksRuKgyQIx/dKK2Btqlb0ZlU/C1igmoyL3JVocIMt
7EuS8NbgPBnQnSYuQ14I
=whZK
-----END PGP SIGNATURE-----

More information about the Openstack-security mailing list