The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2014:0456 advisory.

    The Django web framework is used by horizon, the OpenStack Dashboard, which     is a web interface for managing OpenStack services.

    A flaw was found in the way Django's reverse() URL resolver function     constructed certain URLs. A remote attacker able to request a specially     crafted view from a Django application could use this flaw to import and     execute arbitrary Python modules on the system under the privileges of the     user running the application. (CVE-2014-0472)

    It was found that Django's caching framework reused Cross-Site Request     Forgery (CSRF) nonces for all requests from unauthenticated clients.
    A remote attacker could use this flaw to acquire the CSRF token of a     different user and bypass intended CSRF protections in a Django     application. (CVE-2014-0473)

    It was discovered that certain Django model field classes did not properly     perform type conversion on their arguments. A remote attacker could use     this flaw to submit a specially crafted SQL query that, when processed by a     Django application using a MySQL database, could have various     application-specific impacts on the MySQL database. (CVE-2014-0474)

    Red Hat would like to thank the upstream Django project for reporting this     issue. Upstream acknowledges Benjamin Bach as the original reporter of     CVE-2014-0472, Paul McMillan as the original reporter of CVE-2014-0473, and     the Ruby on Rails team, and specifically Michael Koziarski, as the original     reporters of CVE-2014-0474.

    All users of OpenStack Dashboard are advised to upgrade to these updated     packages, which resolve these issues. After installing the updated     packages, the httpd daemon must be restarted (service httpd restart) for     the update to take effect.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Solaris system is missing necessary patches to address security updates :

  - The django.core.urlresolvers.reverse function in Django     before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3,     and 1.7.x before 1.7 beta 2 allows remote attackers to     import and execute arbitrary Python modules by     leveraging a view that constructs URLs using user input     and a 'dotted Python path.' (CVE-2014-0472)

  - The caching framework in Django before 1.4.11, 1.5.x     before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7     beta 2 reuses a cached CSRF token for all anonymous     users, which allows remote attackers to bypass CSRF     protections by reading the CSRF cookie for anonymous     users. (CVE-2014-0473)

  - The (1) FilePathField, (2) GenericIPAddressField, and     (3) IPAddressField model field classes in Django before     1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and     1.7.x before 1.7 beta 2 do not properly perform type     conversion, which allows remote attackers to have     unspecified impact and vectors, related to 'MySQL     typecasting.' (CVE-2014-0474)

Python Django was updated to fix security issues and bugs.

Update to version 1.4.15 on openSUSE 12.3 :

  + Prevented reverse() from generating URLs pointing to     other hosts to prevent phishing attacks (bnc#893087,     CVE-2014-0480)

  + Removed O(n) algorithm when uploading duplicate file     names to fix file upload denial of service (bnc#893088,     CVE-2014-0481)

  + Modified RemoteUserMiddleware to logout on REMOTE_USE     change to prevent session hijacking (bnc#893089,     CVE-2014-0482)

  + Prevented data leakage in contrib.admin via query string     manipulation (bnc#893090, CVE-2014-0483)

  + Fixed: Caches may incorrectly be allowed to store and     serve private data (bnc#877993, CVE-2014-1418)

  + Fixed: Malformed redirect URLs from user input not     correctly validated (bnc#878641, CVE-2014-3730)

  + Fixed queries that may return unexpected results on     MySQL due to typecasting (bnc#874956, CVE-2014-0474)

  + Prevented leaking the CSRF token through caching     (bnc#874955, CVE-2014-0473)

  + Fixed a remote code execution vulnerability in URL     reversing (bnc#874950, CVE-2014-0472)

Update to version 1.5.10 on openSUSE 13.1 :

  + Prevented reverse() from generating URLs pointing to     other hosts to prevent phishing attacks (bnc#893087,     CVE-2014-0480)

  + Removed O(n) algorithm when uploading duplicate file     names to fix file upload denial of service (bnc#893088,     CVE-2014-0481)

  + Modified RemoteUserMiddleware to logout on REMOTE_USE     change to prevent session hijacking (bnc#893089,     CVE-2014-0482)

  + Prevented data leakage in contrib.admin via query string     manipulation (bnc#893090, CVE-2014-0483)

  - Update to version 1.5.8 :

  + Fixed: Caches may incorrectly be allowed to store and     serve private data (bnc#877993, CVE-2014-1418)

  + Fixed: Malformed redirect URLs from user input not     correctly validated (bnc#878641, CVE-2014-3730)

  + Fixed queries that may return unexpected results on     MySQL due to typecasting (bnc#874956, CVE-2014-0474)

  + Prevented leaking the CSRF token through caching     (bnc#874955, CVE-2014-0473)

  + Fixed a remote code execution vulnerability in URL     reversing (bnc#874950, CVE-2014-0472)

The remote host is affected by the vulnerability described in GLSA-201406-26 (Django: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Django. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could execute code with the privileges of the process,       modify SQL queries, or disclose sensitive information.
  Workaround :

    There is no known workaround at this time.

Multiple vulnerabilities has been discovered and corrected in python-django :

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers (CVE-2014-1418).

The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by http:\djangoproject.com. (CVE-2014-3730).

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a dotted Python path. (CVE-2014-0472).

The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users (CVE-2014-0473).

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to MySQL typecasting.
(CVE-2014-0474).

The updated packages have been patched to correct these issues.

Several vulnerabilities were discovered in Django, a high-level Python web development framework. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2014-0472     Benjamin Bach discovered that Django incorrectly handled     dotted Python paths when using the reverse() URL     resolver function. An attacker able to request a     specially crafted view from a Django application could     use this issue to cause Django to import arbitrary     modules from the Python path, resulting in possible code     execution.

  - CVE-2014-0473     Paul McMillan discovered that Django incorrectly cached     certain pages that contained CSRF cookies. A remote     attacker could use this flaw to acquire the CSRF token     of a different user and bypass intended CSRF protections     in a Django application.

  - CVE-2014-0474     Michael Koziarski discovered that certain Django model     field classes did not properly perform type conversion     on their arguments, which allows remote attackers to     obtain unexpected results.

  - CVE-2014-1418     Michael Nelson, Natalia Bidart and James Westby     discovered that cached data in Django could be served to     a different session, or to a user with no session at     all. An attacker may use this to retrieve private data     or poison caches.

  - CVE-2014-3730     Peter Kuma and Gavin Wahl discovered that Django     incorrectly validated certain malformed URLs from user     input. An attacker may use this to cause unexpected     redirects.

The Django project reports :

These releases address an unexpected code-execution issue, a caching issue which can expose CSRF tokens and a MySQL typecasting issue.
While these issues present limited risk and may not affect all Django users, we encourage all users to evaluate their own risk and upgrade as soon as possible.

The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-2169-1 advisory.

    Benjamin Bach discovered that Django incorrectly handled dotted Python paths when using the reverse()     function. An attacker could use this issue to cause Django to import arbitrary modules from the Python     path, resulting in possible code execution. (CVE-2014-0472)

    Paul McMillan discovered that Django incorrectly cached certain pages that contained CSRF cookies. An     attacker could possibly use this flaw to obtain a valid cookie and perform attacks which bypass the CSRF     restrictions. (CVE-2014-0473)

    Michael Koziarski discovered that Django did not always perform explicit conversion of certain fields when     using a MySQL database. An attacker could possibly use this issue to obtain unexpected results.
    (CVE-2014-0474)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
210209	RHEL 6 : Django (RHSA-2014:0456)	Nessus	Red Hat Local Security Checks	critical
80600	Oracle Solaris Third-Party Patch Update : django (multiple_vulnerabilities_in_django)	Nessus	Solaris Local Security Checks	critical
77718	openSUSE Security Update : python-django (openSUSE-SU-2014:1132-1)	Nessus	SuSE Local Security Checks	critical
76270	GLSA-201406-26 : Django: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
74446	Mandriva Linux Security Advisory : python-django (MDVSA-2014:113)	Nessus	Mandriva Local Security Checks	critical
74097	Debian DSA-2934-1 : python-django - security update	Nessus	Debian Local Security Checks	critical
73676	FreeBSD : django -- multiple vulnerabilities (59e72db2-cae6-11e3-8420-00e0814cab4e)	Nessus	FreeBSD Local Security Checks	critical
73665	Ubuntu 14.04 LTS : Django vulnerabilities (USN-2169-1)	Nessus	Ubuntu Local Security Checks	critical

Detections

Analytics

CVE-2014-0472

medium

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical