The Django admin in releases 1.1.2, 1.2.3 and earlier have a information leakage vulnerability.
Here is a theoretical setup, similar to the video to explain the vulnerability.
Setup:
I have a user that has access to the following model for add, change, delete permissions in the admin interface. They are simply a staff user and not a super user. When they log in, they only see a few entries for
this model.
class TestModel(models.Model):
created_by = models.ForeignKey(User)
title = models.CharField(max_length=64)
This model registered to the admin without any special ModelAdmin.
Below is an example of how this could be used / abused:
We can extract the exact values using a similar technique to blind sql injection. Keep in mind we don't have to stop at one level, list filters can be chained multiple times.
http://example.com/admin/testapp/testmodel/?created_by__password__regex=^sha1\$[0-9]$
http://example.com/admin/testapp/testmodel/?created_by__password__regex=^sha1\$[a-f]$
Depending on the results of the above queries, we would know the next character would be a 0-9 or a-f and then we can split it and narrow it down further, eventually and painfully extracting the entire value.
The advisory from the Django dev team can be found here: Security releases issued
Site by &yet Web Design