Bug 10996 - python-django: Possible XSS via is_safe_url (CVE-2013-4249)
: python-django: Possible XSS via is_safe_url (CVE-2013-4249)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/564628/
: MGA2TOO has_procedure mga2-64-ok mga2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-08-14 09:57 CEST by Oden Eriksson
Modified: 2013-08-23 17:31 CEST (History)
4 users (show)

See Also:
Source RPM: python-django
CVE:
Status comment:


Attachments

Description Oden Eriksson 2013-08-14 09:57:07 CEST
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/

"
Issue: Possible XSS via is_safe_url

A common pattern in Django applications is for a view to accept, via querystring parameter, a URL to redirect to upon successful completion of the view's processing. This pattern is used in code bundled with Django itself; for example, the login view in django.contrib.auth.views, which accepts such a parameter to determine where to send a user following successful login.

A utility function -- django.utils.http.is_safe_url() -- is provided and used to validate that this URL is on the current host (either via fully-qualified or relative URL), so as to avoid potentially dangerous redirects from maliciously-constructed querystrings.

The is_safe_url() function works as intended for HTTP and HTTPS URLs, but due to the manner in which it parses the URL, will permit redirects to other schemes, such as javascript:. While the Django project is unaware of any demonstrated ability to perform cross-site scripting attacks via this mechanism, the potential for such is sufficient to trigger a security response.

To remedy this issue, the is_safe_url() function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS.

Thanks to Nick Bruun for reporting this issue to us.
"

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-08-14 09:57:39 CEST
1.4.6 has been submitted to 3 and cauldron.
Comment 2 David Walser 2013-08-14 13:32:44 CEST
The upstream announcement doesn't mention 1.3.x, which we have in Mageia 2.  Is that because it's not affected, or just because it's no longer supported upstream?
Comment 3 Oden Eriksson 2013-08-14 13:49:49 CEST
https://www.djangoproject.com/download/

"
Unsupported previous releases (no longer receive security updates or bugfixes)

    Django 1.3.7: Django-1.3.7.tar.gz
    Checksum: Django-1.3.7.checksum.txt
    Django 1.2.7: Django-1.2.7.tar.gz
    Checksum: Django-1.2.7.checksum.txt
    Django 1.1.4: Django-1.1.4.tar.gz
    Checksum: Django-1.1.4.checksum.txt
    Django 1.0.4: Django-1.0.4.tar.gz
    Checksum: Django-1.0.4.checksum.txt
"
Comment 4 Oden Eriksson 2013-08-14 13:52:26 CEST
python-django-1.3.7-1.1.mga2 has been submitted with this fix applied.
Comment 5 David Walser 2013-08-14 14:05:03 CEST
Thanks Oden!

Assigning to QA.

Advisory:
========================

Updated python-django package fixes security vulnerability:

The is_safe_url() function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS, to prevent cross-site
scripting attacks through redirecting to other schemes, such as javascript:.

References:
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
========================

Updated packages in core/updates_testing:
========================
python-django-1.3.7-1.1.mga2
python-django-1.4.6-1.mga3

from SRPMS:
python-django-1.3.7-1.1.mga2.src.rpm
python-django-1.4.6-1.mga3.src.rpm
Comment 6 David Walser 2013-08-14 15:10:21 CEST
Just FYI, a CVE has been requested and will likely be granted soon:
http://openwall.com/lists/oss-security/2013/08/14/1
Comment 7 David Walser 2013-08-15 15:11:25 CEST
CVE-2013-4249 has been assigned:
http://openwall.com/lists/oss-security/2013/08/15/1

Advisory:
========================

Updated python-django package fixes security vulnerability:

The is_safe_url() function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS, to prevent cross-site
scripting attacks through redirecting to other schemes, such as javascript:
(CVE-2013-4249).

References:
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4249
========================

Updated packages in core/updates_testing:
========================
python-django-1.3.7-1.1.mga2
python-django-1.4.6-1.mga3

from SRPMS:
python-django-1.3.7-1.1.mga2.src.rpm
python-django-1.4.6-1.mga3.src.rpm
Comment 8 claire robinson 2013-08-19 16:32:35 CEST
No public PoC

Testing procedure:

Mga2: https://docs.djangoproject.com/en/1.3/intro/tutorial01/

Mga3: https://docs.djangoproject.com/en/1.4/intro/tutorial01/

They may be the same but are different versions so different docs.
Comment 9 claire robinson 2013-08-19 16:40:43 CEST
Testing complete mga2 64

$ django-admin.py startproject mysite

$ cd mysite
$ ls
__init__.py  manage.py  settings.py  urls.py

$ python manage.py runserver
Validating models...

0 errors found
Django version 1.3.7, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[19/Aug/2013 09:36:55] "GET / HTTP/1.1" 200 2051

Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c

Repeated after updating.
Comment 10 David GEIGER 2013-08-20 12:20:25 CEST
Testing complete mga2_32, ok for me nothing to report.

[david@localhost ~]$ django-admin.py startproject mysite

[david@localhost ~]$ cd mysite
[david@localhost mysite]$ ls
__init__.py  manage.py  settings.py  urls.py

[david@localhost mysite]$ python manage.py runserver
Validating models...

0 errors found
Django version 1.3.7, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[20/Aug/2013 05:18:15] "GET / HTTP/1.1" 200 2051

Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c
Comment 11 David GEIGER 2013-08-20 12:34:36 CEST
Testing complete mga3_64, ok for me nothing to report.

[david@localhost ~]$ django-admin.py startproject mysite

[david@localhost ~]$ cd mysite
[david@localhost mysite]$ ls
manage.py*  mysite/

[david@localhost mysite]$ cd mysite
[david@localhost mysite]$ ls 
__init__.py  settings.py  urls.py      wsgi.py 

[david@localhost mysite]$ python manage.py runserver
Validating models...

0 errors found
Django version 1.4.6, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[20/Aug/2013 05:30:13] "GET / HTTP/1.1" 200 1957

Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c
Comment 12 claire robinson 2013-08-20 12:40:14 CEST
Advisory from comment 7 uploaded
Comment 13 David GEIGER 2013-08-20 12:44:18 CEST
Testing complete mga3_32, ok for me nothing to report.

[david@localhost ~]$ django-admin.py startproject mysite

[david@localhost ~]$ cd mysite
[david@localhost mysite]$ ls
manage.py*  mysite/

[david@localhost mysite]$ cd mysite
[david@localhost mysite]$ ls 
__init__.py  settings.py  urls.py      wsgi.py 

[david@localhost mysite]$ python manage.py runserver
Validating models...

0 errors found
Django version 1.4.6, using settings 'mysite.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[20/Aug/2013 05:42:00] "GET / HTTP/1.1" 200 1957

Viewed mysite in a browser at http://localhost:8000 before quitting with ctrl-c
Comment 14 claire robinson 2013-08-20 12:47:16 CEST
Thankyou, validating.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 15 Thomas Backlund 2013-08-22 20:15:09 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0256.html

Note You need to log in before you can comment on or make changes to this bug.