Bug 1016394 (CVE-2013-6044) - CVE-2013-6044 python-django: xss in is_safe_url function
Summary: CVE-2013-6044 python-django: xss in is_safe_url function
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2013-6044
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 997121 (view as bug list)
Depends On: 1016395 1016396 1022836
Blocks: 997123 1016397
TreeView+ depends on / blocked
 
Reported: 2013-10-08 06:01 UTC by Ratul Gupta
Modified: 2019-09-29 13:09 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-22 18:41:51 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1521 0 normal SHIPPED_LIVE Moderate: python-django security update 2013-11-14 22:29:40 UTC

Description Ratul Gupta 2013-10-08 06:01:14 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6044 to the following vulnerability:

Name: CVE-2013-6044
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6044
Assigned: 20131004

Reference: http://seclists.org/oss-sec/2013/q3/369
Reference: http://seclists.org/oss-sec/2013/q3/411
Reference: https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f
Reference: https://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762
Reference: https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a
Reference: https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued
Reference: http://www.securityfocus.com/bid/61777
Reference: SECTRACK:1028915
Reference: http://www.securitytracker.com/id/1028915
Reference: SECUNIA:54476
Reference: http://secunia.com/advisories/54476
Reference: XF:django-issafeurl-xss(86437)
Reference: http://xforce.iss.net/xforce/xfdb/86437

The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.
Comment 1 Ratul Gupta 2013-10-08 06:03:30 UTC 
Created Django14 tracking bugs for this issue:

Affects: epel-6 [bug 1016396]
Comment 2 Ratul Gupta 2013-10-08 06:03:56 UTC 
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1016395]
Comment 4 errata-xmlrpc 2013-11-14 17:35:26 UTC 
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:1521 https://rhn.redhat.com/errata/RHSA-2013-1521.html
Comment 6 Kurt Seifried 2014-05-30 04:40:20 UTC 
*** Bug 997121 has been marked as a duplicate of this bug. ***
Comment 7 Kurt Seifried 2016-01-22 18:41:51 UTC 
This does not affect any current versions of OpenStack.
Note You need to log in before you can comment on or make changes to this bug.