[VIM] dispute: Django CSRF (CVE-2007-5828)

Steven M. Christey coley at mitre.org
Wed Nov 14 20:47:07 UTC 2007


Debian disputes this because they view it as an insecure
configuration; product documentation covers a CSRF protection module
that's available as part of the Django distribution.  For CVE, we
still include it because it's related to a default configuration, even
if the "blame" is squarely on the administrator.

- Steve


======================================================
Name: CVE-2007-5828
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5828
Reference: BUGTRAQ:20071029 Django 0.96 (stable) Admin Panel CSRF
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/482983/100/0/threaded

** DISPUTED **

Cross-site request forgery (CSRF) vulnerability in the admin panel in
Django 0.96 allows remote attackers to change passwords of arbitrary
users via a request to admin/auth/user/1/password/.  NOTE: this issue
has been disputed by Debian, since product documentation includes a
recommendation for a CSRF protection module that is included with the
product.  However, CVE considers this an issue because the default
configuration does not use this module.




More information about the VIM mailing list