-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Documentation error which can cause TFA bypass #90
Comments
Thanks @pjensen000! Any chance you can provide this as a PR? |
Sorry, I don't have any git tools installed or knowledge on how to use them. I just wanted to share the issue report. |
@pjensen000 / @hailkomputer do you have steps to recreate and test this? Your analysis makes sense but I would prefer to confirm the proposed fix before publishing it. |
Steps to recreate:
I can verify that I did this and was able to get in using the login_required decorator. I can also verify that I switched to staff_member_required and now only people already logged in as staff can see the login screen. Technically, if some staff don't have/need TFA and others do, you could still bypass TFA by logging in as a staff who doesn't have TFA and then doing the same procedure as above. In my case all staff are required to have TFA. The fix only works if all staff are required to use TFA. A more universal fix would be to write a mixin like staff_member_required except instead it's tfa_enabled_user_required. I have not written such a mixin. |
|
The documentation, in the Installation section, has a warning at the end about the admin site, and then some sample code.
The sample code has an error which can result in TFA being bypassed for the admin site. The scenario is a site where some users do not have/need TFA, but all admin users do. Using the code provided, an attacker can login with a non-admin account without TFA. Then browse directly to the admin site, and are allowed to re-login there without TFA. The redirect provided in the documentation code:
admin.site.login = login_required(admin.site.login)
does not trigger the login_required wrapper because the user logged in already. They are instead taken directly to the admin site, which provides a login view that bypassess TFA.
FIX:
Instead of wrapping with login_required, wrap with staff_member_required:
`from django.contrib.admin.views.decorators import staff_member_required
admin.site.login = staff_member_required(admin.site.login, login_url='/accounts/login')`
This will the disallow showing the admin site to anyone not logged in as an admin, preventing the attack described.
The text was updated successfully, but these errors were encountered: