Open Stack

We don't agree that this is a security vulnerability, which is why we
haven't addressed the issue. It boils down to "if someone has access to
your computer, then they can pretend to be you", which is a risk, to be
sure, but not one we can address in a web framework.

As the article states, this vulnerability depends on an attacker being able
to "find, steal, or intercept a user’s cookie". Any attacker with this
level of access has a variety of interesting options at their disposal.

Kurt, if you feel this deserves a CVE feel free. I do want to make sure
it's noted, however, that the Django team does not concur that this is a
real vulnerability.

Jacob


On Thu, Oct 3, 2013 at 10:09 PM, Kurt Seifried <kseifried at redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/03/2013 08:22 PM, Jeffrey Walton wrote:
> > On Thu, Oct 3, 2013 at 6:30 PM, Jeffrey Walton <noloader at gmail.com>
> > wrote:
> >> Here's some more reading on the subject. It was recently updated,
> >> and effectively states django is susceptible to session
> >> management attacks under some configurations.
> >>
> https://docs.djangoproject.com/en/1.4/topics/http/sessions/#using-cookie-based-sessions
> .
> >
> >>
> Its now being tracked: VU#160862 (thanks Kurt).
>
> Just to be clear I didn't do anything yet. That's a US-CERT
> Vulnerability Note number, nothing to do with CVE. Did you contact the
> Django people about this issue to report it upstream yet? Adding
> security at djangoproject.com in case they haven't seen it yet.
>
> This is regarding
>
>
> http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/
>
> I'm going to assign a CVE if I can somewhat confirm a CVE hasn't been
> requested yet.
>
>
> - --
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
>
> iQIcBAEBAgAGBQJSTjFMAAoJEBYNRVNeJnmTsekP/2igBidUl26EmyQg09qOYT7S
> mYbn60jqyaH+yyBpZc6RK6bhWxK5vOrSD46l8ag7oxX3SXQNJmv8dD3ua5nMvJfH
> ynrbm9oXboU04tw3ij5Texvux2OmBqdf1wW/zONhEMO4XLP9QaT82zTINbLVMyR7
> QVPaFAYWT0Ba/QEEIbG2cJ3v14dRl9lqB/qOlsx1CrcwczqGlLYPjvhctTG4NZRW
> op6f+XrEgBb5GAd/YrQdQrKKo5vlIwVRSuSRbYFLaQZU/4gAy0rMCUjuXxO+nt8W
> 1FaXryBSjr4MBffE2ou7XDwrUSJJkqceEhEKF3mKaRLRTjXbV6/u2Slc9EtlaS9t
> k0wu8wMx7xnSsZVTldBaS4Pgh49ZiDqqxGRncb8Gy+GIAvrh3FswLNxJa7w/zDBT
> JIewqKvSiWKqgrRc2HPw2w9QWnX3OhXGRxmbTRUuEse/dlQ2OqnT7z1mPG2AmJoj
> I+tsis7btojs0OEXeyOOJVJzINWSCZcF1PAz1zwO5c4x7lA9la6dgaOKQPPFctjR
> UKq30ztQ66eXiROydt/Vz1zUgPn/KUHB34L2jyPg/otnx/TLLisCEXxXb4TL68nx
> 0WfPTVK5zRl0SqmSdizwHaCDepaexh756QGIJyRrd8br1O9GKj1Lj5g6Vx4PDiLO
> KdabNJIvEImC8HPAPwoE
> =lzjh
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131003/e8a89e9c/attachment.html>