Bug 997117 - (CVE-2013-4249) CVE-2013-4249 python-django: XSS in admin interface
CVE-2013-4249 python-django: XSS in admin interface
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130813,repor...
: Security
Depends On: 997125
Blocks: 997123
  Show dependency treegraph
 
Reported: 2013-08-14 13:47 EDT by Vincent Danen
Modified: 2016-03-04 07:08 EST (History)
4 users (show)

See Also:
Fixed In Version: Django 1.5.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-06 06:14:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-08-14 13:47:57 EDT
Django 1.5.2 was released to correct the following security flaw:

The Django administrative application, django.contrib.admin, provides functionality for CRUD (Creation, Retrieval, Updating and Deleting) operations by trusted users, including facilities for both automatic and customized data-manipulation interfaces.

When displaying the value of a URLField -- a model field type for storing URLs -- this interface treated the values of such fields as safe, thus failing to properly accommodate the potential for dangerous values. A proof-of-concept application has been provided to the Django project, showing how this can be exploited to perform XSS in the administrative interface.

In a normal Django deployment, this will only affect the administrative interface, as the incorrect handling occurs only in form-widget code in django.contrib.admin. It is, however, possible that other applications may be affected, if those applications make use of form widgets provided by the admin interface.

To remedy this issue, the widget in question -- django.contrib.admin.widgets.AdminURLFieldWidget -- has been corrected to treat its value the same as any other potentially-user-supplied value; in other words, it will be treated as unsafe, and subject to Django's (enabled by default) output escaping.

The upstream patch is here: https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78


External References:

https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
Comment 1 Vincent Danen 2013-08-14 13:57:24 EDT
Created python-django tracking bugs for this issue:

Affects: fedora-19 [bug 997125]
Comment 2 Vincent Danen 2013-08-19 11:48:13 EDT
This was assigned CVE-2013-4249:

http://www.openwall.com/lists/oss-security/2013/08/19/2
Comment 3 Fedora Update System 2013-08-22 20:42:41 EDT
python-django-1.5.2-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.