Bug 1004969 (CVE-2013-4315)

Summary: CVE-2013-4315 python-django: directory traversal with "ssi" template tag
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aortega, apevec, athomas, ayoung, bkearney, chrisw, gkotton, iheim, jpichon, jrusnack, lhh, markmc, mrunge, rbryant, sclewis, security-response-team, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20130910,reported=20130903,source=upstream,cvss2=2.1/AV:N/AC:H/Au:S/C:P/I:N/A:N,fedora-all/python-django=affected,fedora-19/python-django14=affected,epel-6/Django14=affected,openstack-3/Django14=affected,openstack-4/Django14=affected,openstack-rdo/Django14=affected,sam-1/Django=wontfix,cwe=CWE-22
Fixed In Version: Django 1.4.7, Django 1.5.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-20 13:51:59 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1007018, 1007019, 1007020, 1007021, 1007022, 1007023, 1007024    
Bug Blocks: 1004971    

Description Vincent Danen 2013-09-05 18:08:29 EDT
Django upstream reported the following vulnerability in Django:

Django's template language includes two methods of including and
rendering one template inside another:

1. The ``{% include %}`` tag takes a template name, and uses Django's
template loading mechanism (which is restricted to the directories
specified in the ``TEMPLATE_DIRS`` setting, as with any other
normal template load in Django).

2. The ``{% ssi %}`` tag, which takes a file path and includes that
file's contents (optionally parsing and rendering it as a
template).

Since the ``ssi`` tag is not restricted to ``TEMPLATE_DIRS``, it
represents a security risk; the setting ``ALLOWED_INCLUDE_ROOTS`` thus
is required, and specifies filesystem locations from which ``ssi`` may
read files.

A report has been submitted to and confirmed by the Django core team,
showing that the handling of the ``ALLOWED_INCLUDE_ROOTS`` setting is
vulnerable to a directory-traversal attack, by specifying a file path
which begins as the absolute path of a directory in
``ALLOWED_INCLUDE_ROOTS``, and then uses relative paths to break
free. So, for example, if ``/var/include`` is in
``ALLOWED_INCLUDE_ROOTS``, the following would be accepted:

{% ssi '/var/includes/../../etc/passwd' %}

Which would include the contents of ``/etc/passwd`` in the template's
output.

Note that performing this attack does require some specific
circumstances:

* The site to be attacked must have one or more templates making use
of the ``ssi`` tag, and must allow some form of unsanitized user
input to be used as an argument to the ``ssi`` tag, or

* The attacker must be in a position to alter templates on the site.

To remedy this, the ``ssi`` tag will now use Python's
``os.path.abspath`` to determine the absolute path of the file, and
whether it is actually located within a directory permitted by
``ALLOWED_INCLUDE_ROOTS``.


Acknowledgements:

Red Hat would like to thank James Bennett of Django for reporting this issue.
Comment 1 Vincent Danen 2013-09-11 14:17:33 EDT
External Reference:

https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/
Comment 4 Vincent Danen 2013-09-11 14:22:46 EDT
Created Django14 tracking bugs for this issue:

Affects: epel-6 [bug 1007020]
Comment 5 Vincent Danen 2013-09-11 14:22:54 EDT
Created python-django14 tracking bugs for this issue:

Affects: fedora-19 [bug 1007019]
Comment 6 Vincent Danen 2013-09-11 14:23:03 EDT
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1007018]
Comment 7 Fedora Update System 2013-09-24 18:56:34 EDT
python-django-1.5.4-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-09-24 19:00:16 EDT
python-django14-1.4.8-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-09-24 19:05:04 EDT
python-django14-1.4.8-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2013-10-01 13:35:42 EDT
Django14-1.4.8-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 errata-xmlrpc 2013-11-14 12:34:56 EST
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:1521 https://rhn.redhat.com/errata/RHSA-2013-1521.html