Bug 1389417 (CVE-2016-9014)

Summary:

CVE-2016-9014 python-django: DNS rebinding vulnerability when 'DEBUG=True'

Product:

[Other] Security Response

Reporter:

Martin Prpič <mprpic>

Component:

vulnerability

Assignee:

Red Hat Product Security <security-response-team>

Status:

CLOSED WONTFIX

QA Contact:

Severity:

low

Docs Contact:

Priority:

low

Version:

unspecified

CC:

apevec, ayoung, bkearney, cbillett, chrisw, cvsbot-xmlrpc, gmollett, hvyas, jschluet, kbasil, lhh, lpeer, markmc, mrunge, nthomas, rbryant, sankarshan, sclewis, security-response-team, sisharma, srevivo, tdecacqu, tomckay

Target Milestone:

---

Keywords:

Security

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Django 1.10.3, Django 1.9.11, Django 1.8.16

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2019-06-08 03:01:24 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

1390684, 1390685, 1390687

Bug Blocks:

1389419

Attachments:

Description	Flags
host-validation-1.10.x.diff	none
host-validation-1.8.x.diff	none
host-validation-1.9.x.diff	none
host-validation-master.diff	none

Description Martin Prpič 2016-10-27 14:31:01 UTC

The following flaw was reported in Django:

Older versions of Django don't validate the 'Host' header against 'settings.ALLOWED_HOSTS' when 'settings.DEBUG=True'. This makes them vulnerable to a DNS rebinding attack:

http://benmmurphy.github.io/blog/2016/07/11/rails-webconsole-dns-rebinding/

While Django doesn't ship a module that allows remote code execution, this is at least a cross-site scripting vector, which could be quite serious if developers load a copy of the production database in development or connect to some production services for which there's no development instance, for example. If a project uses a package like the 'django-debug-toolbar', then the attacker could execute arbitrary SQL, which could be especially bad if the developers connect to the database with a superuser account.

'settings.ALLOWED_HOSTS' is now validated regardless of 'DEBUG'. For convenience, if 'ALLOWED_HOSTS' is empty and 'DEBUG=True', the following variations of localhost are allowed '['localhost', '127.0.0.1', '::1']'. If your local settings file has your production 'ALLOWED_HOSTS' value, you must now omit it to get those fallback values.

Comment 1 Martin Prpič 2016-10-27 14:31:20 UTC

Acknowledgments:

Name: the Django project

Comment 2 Martin Prpič 2016-10-27 14:34:43 UTC

Created attachment 1214627 [details]
host-validation-1.10.x.diff

Comment 3 Martin Prpič 2016-10-27 14:34:50 UTC

Created attachment 1214628 [details]
host-validation-1.8.x.diff

Comment 4 Martin Prpič 2016-10-27 14:34:57 UTC

Created attachment 1214629 [details]
host-validation-1.9.x.diff

Comment 5 Martin Prpič 2016-10-27 14:35:04 UTC

Created attachment 1214630 [details]
host-validation-master.diff

Comment 6 Andrej Nemec 2016-11-01 16:33:37 UTC

Public via:

https://www.djangoproject.com/weblog/2016/nov/01/security-releases/

Comment 7 Andrej Nemec 2016-11-01 16:36:22 UTC

Created Django14 tracking bugs for this issue:

Affects: epel-6 [bug 1390685]

Comment 8 Andrej Nemec 2016-11-01 16:36:37 UTC

Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1390684]

Comment 9 Andrej Nemec 2016-11-01 16:37:44 UTC

Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1390687]