ANN: User-creation hole fixed in Django development (Subversion) version - django-announce

1 message - Collapse all

Adrian Holovaty

View profile

(2 users) More options Sep 8 2006, 2:04 am

From: "Adrian Holovaty" <holov...@gmail.com>

Date: Fri, 8 Sep 2006 01:04:10 -0500

Local: Fri, Sep 8 2006 2:04 am

Subject: ANN: User-creation hole fixed in Django development (Subversion) version

  Reply to author
  |
  Forward
  | Print
  | Individual message
  | Show original
  | Report this message
  | Find messages by this author
  

Hello all,

Thanks to a report 30 minutes ago from Robert Bunting, we've fixed a
hole in the Django admin site that allows non-authenticated users to
create unprivileged user accounts by guessing a URL.

This affects people using the Django development version, revision
3520 or higher. It does *not* affect people running any official
Django release. We're making this announcement in case some people are
using the development version on a production site somewhere.

The unprivileged user accounts created do not have any permission to
do anything, including logging into the admin site, but clearly it's
still important to patch this hole.

To patch your code, just do a "svn update" of your Django code: At the
command prompt, change into your "django" directory and type "svn
update". The fix was made in revision 3736.

(Cross-posted to django-users mailing list because django-announce
doesn't have many subscribers. Please take a moment to sign up for
that list, because we won't be posting announcements to django-users
for much longer, in favor of django-announce. Sign up here:
http://groups.google.com/group/django-announce/ )

Adrian

--
Adrian Holovaty
holovaty.com | djangoproject.com

Reply to author Forward

End of messages

« Back to Discussions

« Newer topic

Older topic »