We are a cybersecurity research group from the CISPA Helmholtz Center for Information Security and Ca’ Foscari University of Venice. We recently conducted an analysis of the session management in web applications on GitHub as part of our research. We have discovered a security vulnerability in your code that we believe requires your attention.
Vulnerability Description:
With our analysis, we have identified that your application is not using CsrfViewMiddleware as default but setting CSRF protection for individual views. However, this excludes a number of sensitive views. For example, the add_site_authed view is not protected, allowing an attacker to craft a CSRF payload that may force a target user to automatically subscribe to a feed chosen by the attacker. This even works, although Django uses lax SameSite cookies by default, because the endpoint is implemented on top of a GET request.
We hope this notification helps improve your security.
In addition to addressing this issue, we are interested in understanding how this vulnerability was introduced in the code or why it has remained unchanged. CsrfViewMiddleware is usually activated by default when you start a project. This information can provide valuable insights into common security pitfalls and help us all improve security practices in the future. Could you share any background on this aspect? We would greatly appreciate your input on this matter. Thank you!
Should you have further questions or comments on this, feel free to answer this thread or reach out to florian.hantke@cispa.de.
Hello NewsBlur developers,
We are a cybersecurity research group from the CISPA Helmholtz Center for Information Security and Ca’ Foscari University of Venice. We recently conducted an analysis of the session management in web applications on GitHub as part of our research. We have discovered a security vulnerability in your code that we believe requires your attention.
Vulnerability Description:
With our analysis, we have identified that your application is not using CsrfViewMiddleware as default but setting CSRF protection for individual views. However, this excludes a number of sensitive views. For example, the
add_site_authedview is not protected, allowing an attacker to craft a CSRF payload that may force a target user to automatically subscribe to a feed chosen by the attacker. This even works, although Django uses lax SameSite cookies by default, because the endpoint is implemented on top of a GET request.Example exploit:
Recommendation for Mitigation:
We recommend activating Django’s CsrfViewMiddleware as it protects all endpoint by default.
https://docs.djangoproject.com/en/5.0/ref/csrf/
We hope this notification helps improve your security.
In addition to addressing this issue, we are interested in understanding how this vulnerability was introduced in the code or why it has remained unchanged. CsrfViewMiddleware is usually activated by default when you start a project. This information can provide valuable insights into common security pitfalls and help us all improve security practices in the future. Could you share any background on this aspect? We would greatly appreciate your input on this matter. Thank you!
Should you have further questions or comments on this, feel free to answer this thread or reach out to florian.hantke@cispa.de.
Kind regards, Florian Hantke