Bug 10996

Summary: python-django: Possible XSS via is_safe_url (CVE-2013-4249)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, luigiwalser, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/564628/
Whiteboard: MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok mga3-32-ok
Source RPM: python-django CVE:
Status comment:

Description Oden Eriksson 2013-08-14 09:57:07 CEST 
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/

"
Issue: Possible XSS via is_safe_url

A common pattern in Django applications is for a view to accept, via querystring parameter, a URL to redirect to upon successful completion of the view's processing. This pattern is used in code bundled with Django itself; for example, the login view in django.contrib.auth.views, which accepts such a parameter to determine where to send a user following successful login.

A utility function -- django.utils.http.is_safe_url() -- is provided and used to validate that this URL is on the current host (either via fully-qualified or relative URL), so as to avoid potentially dangerous redirects from maliciously-constructed querystrings.

The is_safe_url() function works as intended for HTTP and HTTPS URLs, but due to the manner in which it parses the URL, will permit redirects to other schemes, such as javascript:. While the Django project is unaware of any demonstrated ability to perform cross-site scripting attacks via this mechanism, the potential for such is sufficient to trigger a security response.

To remedy this issue, the is_safe_url() function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS.

Thanks to Nick Bruun for reporting this issue to us.
"

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-08-14 09:57:39 CEST 
1.4.6 has been submitted to 3 and cauldron.
Comment 2 David Walser 2013-08-14 13:32:44 CEST 
The upstream announcement doesn't mention 1.3.x, which we have in Mageia 2.  Is that because it's not affected, or just because it's no longer supported upstream?
Comment 3 Oden Eriksson 2013-08-14 13:49:49 CEST 
https://www.djangoproject.com/download/

"
Unsupported previous releases (no longer receive security updates or bugfixes)

    Django 1.3.7: Django-1.3.7.tar.gz
    Checksum: Django-1.3.7.checksum.txt
    Django 1.2.7: Django-1.2.7.tar.gz
    Checksum: Django-1.2.7.checksum.txt
    Django 1.1.4: Django-1.1.4.tar.gz
    Checksum: Django-1.1.4.checksum.txt
    Django 1.0.4: Django-1.0.4.tar.gz
    Checksum: Django-1.0.4.checksum.txt
"
Comment 4 Oden Eriksson 2013-08-14 13:52:26 CEST 
python-django-1.3.7-1.1.mga2 has been submitted with this fix applied.
Comment 5 David Walser 2013-08-14 14:05:03 CEST 
Thanks Oden!

Assigning to QA.

Advisory:
========================

Updated python-django package fixes security vulnerability:

The is_safe_url() function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS, to prevent cross-site
scripting attacks through redirecting to other schemes, such as javascript:.

References:
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
========================

Updated packages in core/updates_testing:
========================
python-django-1.3.7-1.1.mga2
python-django-1.4.6-1.mga3

from SRPMS:
python-django-1.3.7-1.1.mga2.src.rpm
python-django-1.4.6-1.mga3.src.rpm

CC: (none) => luigiwalser
Assignee: bugsquad => qa-bugs
Whiteboard: (none) => MGA2TOO

Comment 6 David Walser 2013-08-14 15:10:21 CEST 
Just FYI, a CVE has been requested and will likely be granted soon:
http://openwall.com/lists/oss-security/2013/08/14/1
Comment 7 David Walser 2013-08-15 15:11:25 CEST 
CVE-2013-4249 has been assigned:
http://openwall.com/lists/oss-security/2013/08/15/1

Advisory:
========================

Updated python-django package fixes security vulnerability:

The is_safe_url() function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS, to prevent cross-site
scripting attacks through redirecting to other schemes, such as javascript:
(CVE-2013-4249).

References:
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4249
========================

Updated packages in core/updates_testing:
========================
python-django-1.3.7-1.1.mga2
python-django-1.4.6-1.mga3

from SRPMS:
python-django-1.3.7-1.1.mga2.src.rpm
python-django-1.4.6-1.mga3.src.rpm

Summary: python-django: Possible XSS via is_safe_url => python-django: Possible XSS via is_safe_url (CVE-2013-4249)

Comment 8 claire robinson 2013-08-19 16:32:35 CEST 
No public PoC

Testing procedure:

Mga2: https://docs.djangoproject.com/en/1.3/intro/tutorial01/

Mga3: https://docs.djangoproject.com/en/1.4/intro/tutorial01/

They may be the same but are different versions so different docs.
Comment 9 claire robinson 2013-08-19 16:40:43 CEST 
Testing complete mga2 64

$ django-admin.py startproject mysite

$ cd mysite
$ ls
__init__.py  manage.py  settings.py  urls.py

$ python manage.py runserver
Validating models...

0 errors found
Django version 1.3.7, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[19/Aug/2013 09:36:55] "GET / HTTP/1.1" 200 2051

Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c

Repeated after updating.

Whiteboard: MGA2TOO => MGA2TOO has_procedure mga2-64-ok

Comment 10 David GEIGER 2013-08-20 12:20:25 CEST 
Testing complete mga2_32, ok for me nothing to report.

[david@localhost ~]$ django-admin.py startproject mysite

[david@localhost ~]$ cd mysite
[david@localhost mysite]$ ls
__init__.py  manage.py  settings.py  urls.py

[david@localhost mysite]$ python manage.py runserver
Validating models...

0 errors found
Django version 1.3.7, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[20/Aug/2013 05:18:15] "GET / HTTP/1.1" 200 2051

Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c

CC: (none) => geiger.david68210

David GEIGER 2013-08-20 12:20:41 CEST

Whiteboard: MGA2TOO has_procedure mga2-64-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok

Comment 11 David GEIGER 2013-08-20 12:34:36 CEST 
Testing complete mga3_64, ok for me nothing to report.

[david@localhost ~]$ django-admin.py startproject mysite

[david@localhost ~]$ cd mysite
[david@localhost mysite]$ ls
manage.py*  mysite/

[david@localhost mysite]$ cd mysite
[david@localhost mysite]$ ls 
__init__.py  settings.py  urls.py      wsgi.py 

[david@localhost mysite]$ python manage.py runserver
Validating models...

0 errors found
Django version 1.4.6, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[20/Aug/2013 05:30:13] "GET / HTTP/1.1" 200 1957

Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c
David GEIGER 2013-08-20 12:34:50 CEST

Whiteboard: MGA2TOO has_procedure mga2-64-ok mga2-32-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok

Comment 12 claire robinson 2013-08-20 12:40:14 CEST 
Advisory from comment 7 uploaded
Comment 13 David GEIGER 2013-08-20 12:44:18 CEST 
Testing complete mga3_32, ok for me nothing to report.

[david@localhost ~]$ django-admin.py startproject mysite

[david@localhost ~]$ cd mysite
[david@localhost mysite]$ ls
manage.py*  mysite/

[david@localhost mysite]$ cd mysite
[david@localhost mysite]$ ls 
__init__.py  settings.py  urls.py      wsgi.py 

[david@localhost mysite]$ python manage.py runserver
Validating models...

0 errors found
Django version 1.4.6, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[20/Aug/2013 05:42:00] "GET / HTTP/1.1" 200 1957

Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c
David GEIGER 2013-08-20 12:44:35 CEST

Whiteboard: MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok mga3-32-ok

Comment 14 claire robinson 2013-08-20 12:47:16 CEST 
Thankyou, validating.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 Thomas Backlund 2013-08-22 20:15:09 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0256.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2013-08-23 17:31:43 CEST

URL: https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/ => http://lwn.net/Vulnerabilities/564628/