
<div dir="ltr">We don't agree that this is a security vulnerability, which is why we haven't addressed the issue. It boils down to "if someone has access to your computer, then they can pretend to be you", which is a risk, to be sure, but not one we can address in a web framework. <div>


<br></div><div>As the article states, this vulnerability depends on an attacker being able to "find, steal, or intercept a user’s cookie". Any attacker with this level of access has a variety of interesting options at their disposal.<br>


<div><br></div><div>Kurt, if you feel this deserves a CVE feel free. I do want to make sure it's noted, however, that the Django team does not concur that this is a real vulnerability.</div></div><div><br></div><div>

Jacob</div>

</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Oct 3, 2013 at 10:09 PM, Kurt Seifried <span dir="ltr"><<a href="mailto:kseifried@redhat.com" target="_blank">kseifried@redhat.com</a>></span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>

Hash: SHA1<br>

<br>

On 10/03/2013 08:22 PM, Jeffrey Walton wrote:<br>

> On Thu, Oct 3, 2013 at 6:30 PM, Jeffrey Walton <<a href="mailto:noloader@gmail.com">noloader@gmail.com</a>><br>

> wrote:<br>

>> Here's some more reading on the subject. It was recently updated,<br>

>> and effectively states django is susceptible to session<br>

>> management attacks under some configurations.<br>

>> <a href="https://docs.djangoproject.com/en/1.4/topics/http/sessions/#using-cookie-based-sessions" target="_blank">https://docs.djangoproject.com/en/1.4/topics/http/sessions/#using-cookie-based-sessions</a>.<br>

><br>

>><br>

Its now being tracked: VU#160862 (thanks Kurt).<br>

<br>

Just to be clear I didn't do anything yet. That's a US-CERT<br>

Vulnerability Note number, nothing to do with CVE. Did you contact the<br>

Django people about this issue to report it upstream yet? Adding<br>

<a href="mailto:security@djangoproject.com">security@djangoproject.com</a> in case they haven't seen it yet.<br>

<br>

This is regarding<br>

<br>

<a href="http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/" target="_blank">http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/</a><br>

<br>

I'm going to assign a CVE if I can somewhat confirm a CVE hasn't been<br>

requested yet.<br>

<br>

<br>

- --<br>

Kurt Seifried Red Hat Security Response Team (SRT)<br>

PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993<br>

-----BEGIN PGP SIGNATURE-----<br>

Version: GnuPG v1.4.14 (GNU/Linux)<br>

<br>

iQIcBAEBAgAGBQJSTjFMAAoJEBYNRVNeJnmTsekP/2igBidUl26EmyQg09qOYT7S<br>

mYbn60jqyaH+yyBpZc6RK6bhWxK5vOrSD46l8ag7oxX3SXQNJmv8dD3ua5nMvJfH<br>

ynrbm9oXboU04tw3ij5Texvux2OmBqdf1wW/zONhEMO4XLP9QaT82zTINbLVMyR7<br>

QVPaFAYWT0Ba/QEEIbG2cJ3v14dRl9lqB/qOlsx1CrcwczqGlLYPjvhctTG4NZRW<br>

op6f+XrEgBb5GAd/YrQdQrKKo5vlIwVRSuSRbYFLaQZU/4gAy0rMCUjuXxO+nt8W<br>

1FaXryBSjr4MBffE2ou7XDwrUSJJkqceEhEKF3mKaRLRTjXbV6/u2Slc9EtlaS9t<br>

k0wu8wMx7xnSsZVTldBaS4Pgh49ZiDqqxGRncb8Gy+GIAvrh3FswLNxJa7w/zDBT<br>

JIewqKvSiWKqgrRc2HPw2w9QWnX3OhXGRxmbTRUuEse/dlQ2OqnT7z1mPG2AmJoj<br>

I+tsis7btojs0OEXeyOOJVJzINWSCZcF1PAz1zwO5c4x7lA9la6dgaOKQPPFctjR<br>

UKq30ztQ66eXiROydt/Vz1zUgPn/KUHB34L2jyPg/otnx/TLLisCEXxXb4TL68nx<br>

0WfPTVK5zRl0SqmSdizwHaCDepaexh756QGIJyRrd8br1O9GKj1Lj5g6Vx4PDiLO<br>

KdabNJIvEImC8HPAPwoE<br>

=lzjh<br>

-----END PGP SIGNATURE-----<br>

</blockquote></div><br></div>