https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/ " Issue: Possible XSS via is_safe_url A common pattern in Django applications is for a view to accept, via querystring parameter, a URL to redirect to upon successful completion of the view's processing. This pattern is used in code bundled with Django itself; for example, the login view in django.contrib.auth.views, which accepts such a parameter to determine where to send a user following successful login. A utility function -- django.utils.http.is_safe_url() -- is provided and used to validate that this URL is on the current host (either via fully-qualified or relative URL), so as to avoid potentially dangerous redirects from maliciously-constructed querystrings. The is_safe_url() function works as intended for HTTP and HTTPS URLs, but due to the manner in which it parses the URL, will permit redirects to other schemes, such as javascript:. While the Django project is unaware of any demonstrated ability to perform cross-site scripting attacks via this mechanism, the potential for such is sufficient to trigger a security response. To remedy this issue, the is_safe_url() function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS. Thanks to Nick Bruun for reporting this issue to us. " Reproducible: Steps to Reproduce:
1.4.6 has been submitted to 3 and cauldron.
The upstream announcement doesn't mention 1.3.x, which we have in Mageia 2. Is that because it's not affected, or just because it's no longer supported upstream?
https://www.djangoproject.com/download/ " Unsupported previous releases (no longer receive security updates or bugfixes) Django 1.3.7: Django-1.3.7.tar.gz Checksum: Django-1.3.7.checksum.txt Django 1.2.7: Django-1.2.7.tar.gz Checksum: Django-1.2.7.checksum.txt Django 1.1.4: Django-1.1.4.tar.gz Checksum: Django-1.1.4.checksum.txt Django 1.0.4: Django-1.0.4.tar.gz Checksum: Django-1.0.4.checksum.txt "
python-django-1.3.7-1.1.mga2 has been submitted with this fix applied.
Thanks Oden! Assigning to QA. Advisory: ======================== Updated python-django package fixes security vulnerability: The is_safe_url() function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS, to prevent cross-site scripting attacks through redirecting to other schemes, such as javascript:. References: https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/ ======================== Updated packages in core/updates_testing: ======================== python-django-1.3.7-1.1.mga2 python-django-1.4.6-1.mga3 from SRPMS: python-django-1.3.7-1.1.mga2.src.rpm python-django-1.4.6-1.mga3.src.rpm
CC: (none) => luigiwalserAssignee: bugsquad => qa-bugsWhiteboard: (none) => MGA2TOO
Just FYI, a CVE has been requested and will likely be granted soon: http://openwall.com/lists/oss-security/2013/08/14/1
CVE-2013-4249 has been assigned: http://openwall.com/lists/oss-security/2013/08/15/1 Advisory: ======================== Updated python-django package fixes security vulnerability: The is_safe_url() function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS, to prevent cross-site scripting attacks through redirecting to other schemes, such as javascript: (CVE-2013-4249). References: https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4249 ======================== Updated packages in core/updates_testing: ======================== python-django-1.3.7-1.1.mga2 python-django-1.4.6-1.mga3 from SRPMS: python-django-1.3.7-1.1.mga2.src.rpm python-django-1.4.6-1.mga3.src.rpm
Summary: python-django: Possible XSS via is_safe_url => python-django: Possible XSS via is_safe_url (CVE-2013-4249)
No public PoC Testing procedure: Mga2: https://docs.djangoproject.com/en/1.3/intro/tutorial01/ Mga3: https://docs.djangoproject.com/en/1.4/intro/tutorial01/ They may be the same but are different versions so different docs.
Testing complete mga2 64 $ django-admin.py startproject mysite $ cd mysite $ ls __init__.py manage.py settings.py urls.py $ python manage.py runserver Validating models... 0 errors found Django version 1.3.7, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [19/Aug/2013 09:36:55] "GET / HTTP/1.1" 200 2051 Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c Repeated after updating.
Whiteboard: MGA2TOO => MGA2TOO has_procedure mga2-64-ok
Testing complete mga2_32, ok for me nothing to report. [david@localhost ~]$ django-admin.py startproject mysite [david@localhost ~]$ cd mysite [david@localhost mysite]$ ls __init__.py manage.py settings.py urls.py [david@localhost mysite]$ python manage.py runserver Validating models... 0 errors found Django version 1.3.7, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [20/Aug/2013 05:18:15] "GET / HTTP/1.1" 200 2051 Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c
CC: (none) => geiger.david68210
Whiteboard: MGA2TOO has_procedure mga2-64-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok
Testing complete mga3_64, ok for me nothing to report. [david@localhost ~]$ django-admin.py startproject mysite [david@localhost ~]$ cd mysite [david@localhost mysite]$ ls manage.py* mysite/ [david@localhost mysite]$ cd mysite [david@localhost mysite]$ ls __init__.py settings.py urls.py wsgi.py [david@localhost mysite]$ python manage.py runserver Validating models... 0 errors found Django version 1.4.6, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [20/Aug/2013 05:30:13] "GET / HTTP/1.1" 200 1957 Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c
Whiteboard: MGA2TOO has_procedure mga2-64-ok mga2-32-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok
Advisory from comment 7 uploaded
Testing complete mga3_32, ok for me nothing to report. [david@localhost ~]$ django-admin.py startproject mysite [david@localhost ~]$ cd mysite [david@localhost mysite]$ ls manage.py* mysite/ [david@localhost mysite]$ cd mysite [david@localhost mysite]$ ls __init__.py settings.py urls.py wsgi.py [david@localhost mysite]$ python manage.py runserver Validating models... 0 errors found Django version 1.4.6, using settings 'mysite.settings' Development server is running at http://127.0.0.1:8000/ Quit the server with CONTROL-C. [20/Aug/2013 05:42:00] "GET / HTTP/1.1" 200 1957 Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c
Whiteboard: MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok mga3-32-ok
Thankyou, validating. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0256.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/ => http://lwn.net/Vulnerabilities/564628/