liangliangyy DjangoBlog File Upload Vulnerability via Hard-Coded SECRET_KEY

A vulnerability exists in liangliangyy DjangoBlog versions through 2.1.0.0, specifically within the file upload endpoint. The issue arises because the endpoint, located in blog/views.py, is exempt from CSRF protection and relies on a static HMAC signature derived from the SECRET_KEY for authentication. Since the SECRET_KEY contains a hard-coded fallback, the upload signature can be easily computed by anyone, allowing for unauthenticated arbitrary file uploads. Additionally, the ALLOWED_HOSTS setting is configured with a wildcard, disabling proper host header validation and potentially leading to injection attacks.

Impact

Exploitation of this vulnerability allows for unauthenticated users to upload files to the server. When combined with another vulnerability related to the hard-coded SECRET_KEY, this exploitation can be carried out without any credentials.

Reproduction

To reproduce this vulnerability, first compute the upload signature using the hard-coded SECRET_KEY by creating a HMAC SHA-256 hash. This can be done with a simple Python script. Once the signature is obtained, it can be used to upload a file to the /upload endpoint. The server will respond with a success message and the path of the uploaded file. Attempting to upload a file with an invalid signature will be rejected, demonstrating that the signature validation can be bypassed.

Remediation

It is recommended to replace the static HMAC authentication with proper session-based authentication and to re-enable CSRF protection.