Django Addresses Security Bugs

Wednesday, April 23, 2014 @ 08:04 PM gHale


The developers of the Python framework Django released versions 1.4.11, 1.5.6, 1.6.3 and 1.7 beta 2 that are part of the company’s security process that addresses three issues.

The first issue is an unexpected code execution bug when using the reverse() function. The vulnerability, CVE-2014-0472, ended up reported by Benjamin Bach. Under certain conditions, an attacker can leverage this flaw to execute arbitrary code.

RELATED STORIES
Apple Issues OS X Security Update
Industry Faces Life after XP
Security Awareness: A Matter of Safety
Attacks in ’13: 200 Per Minute

“To remedy this [vulnerability], reverse() will now only accept and import dotted paths based on the view-containing modules listed in the project’s URL pattern configuration, so as to ensure that only modules the developer intended to be imported in this fashion can or will be imported,” the Django team said in its advisory.

The second security hole, CVE-2014-0473, reported by Paul McMilla, refers to the caching of anonymous pages could reveal cross-site request forgery (CSRF) tokens.

The CSRF protection mechanism integrated into Django comes on a random nonce sent to the client in a cookie. The client must send this cookie on future requests. In the case of forms, a hidden value must end up submitted back with the form.

Because of this flaw, an attacker could obtain a valid CSFR cookie and bypass the protection system.

A MySQL typecasting issue also ended up fixed. The Ruby on Rails team, specifically Michael Koziarski, reported the bug with the CVE-2014-0474 identifier.

“The MySQL database is known to ‘typecast’ on certain queries; for example, when querying a table which contains string values, but using a query which filters based on an integer value, MySQL will first silently coerce the strings to integers, and return a result based on that,” the advisory said.

Click here for additional technical details on these Django security issues.



Leave a Reply

You must be logged in to post a comment.