

Django Security Releases Issued - ssclafani
http://www.djangoproject.com/weblog/2010/dec/22/security/

======
endtime
Thanks for posting this - fortunately, neither of these issues is serious
enough that I feel the need to upgrade tonight vs. tomorrow. The first one
doesn't affect me at all (you need to have given an untrusted user limited
admin access to be affected) and the second one will eat server resources but
won't compromise anything permanently. Phew.

------
leahculver
To take advantage of the admin issue prior this security release, a user would
need to 1) have access to the admin 2) have limited admin privileges 3) be
smart enough to manipulate the querystring in the URL.

I got a good chuckle out of this fix because I'm assuming that in practice 2)
and 3) are mutually exclusive.

~~~
ojilles
I agree that it's probably a minor issue. But consider that 2) could be hacked
by someone that's not 3).

~~~
ericflo
Why would you hack in and limit your own admin privileges?

~~~
ubernostrum
If you can compromise someone's account -- someone who doesn't have superuser
privileges -- you could then exploit the querystring trick to try to get
access to additional information. And potentially compromise the account of
someone who does have superuser privileges.

~~~
ericflo
Ahh yes, I misunderstood what he was trying to say.

------
bryanh
And I just updated my older stable installs to 1.2.3. Garph!

