Bug 1016394 (CVE-2013-6044)

Summary: CVE-2013-6044 python-django: xss in is_safe_url function
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, athomas, ayoung, bkabrda, bkearney, chrisw, gkotton, iheim, jrusnack, katello-bugs, lhh, markmc, mhroncok, michel, mrunge, rbryant, rhos-maint, sclewis, vdanen, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-22 18:41:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1016395, 1016396, 1022836    
Bug Blocks: 997123, 1016397    

Description Ratul Gupta 2013-10-08 06:01:14 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6044 to the following vulnerability:

Name: CVE-2013-6044
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6044
Assigned: 20131004

Reference: http://seclists.org/oss-sec/2013/q3/369
Reference: http://seclists.org/oss-sec/2013/q3/411
Reference: https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f
Reference: https://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762
Reference: https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a
Reference: https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued
Reference: http://www.securityfocus.com/bid/61777
Reference: SECTRACK:1028915
Reference: http://www.securitytracker.com/id/1028915
Reference: SECUNIA:54476
Reference: http://secunia.com/advisories/54476
Reference: XF:django-issafeurl-xss(86437)
Reference: http://xforce.iss.net/xforce/xfdb/86437

The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.
Comment 1 Ratul Gupta 2013-10-08 06:03:30 UTC 
Created Django14 tracking bugs for this issue:

Affects: epel-6 [bug 1016396]
Comment 2 Ratul Gupta 2013-10-08 06:03:56 UTC 
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1016395]
Comment 4 errata-xmlrpc 2013-11-14 17:35:26 UTC 
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:1521 https://rhn.redhat.com/errata/RHSA-2013-1521.html
Comment 6 Kurt Seifried 2014-05-30 04:40:20 UTC 
*** Bug 997121 has been marked as a duplicate of this bug. ***
Comment 7 Kurt Seifried 2016-01-22 18:41:51 UTC 
This does not affect any current versions of OpenStack.