(LiveHacking.Com) – The Django team has released updated versions of the popular high-level Python Web framework to address several security related problems. Along with the updates to the 1.2 and 1.3 code bases the Django project has also released several advisories for other issues which, while not requiring changes to Django itself, will be of concern to its users.
- Session manipulation – For some configurations Django sessions are stored directly in the root namespace of the cache, using session identifiers as keys. This results is a potential attack when coupled with an application storing user-supplied data in the cache. To mitigate this, the keys used to store sessions will now be namespaced in the cache.
- Denial of service attack via URLField – Django includes a field type — URLField — which validates that the supplied value is a valid URL, it can be set to validate the URL by issuing a request to it. By default, the underlying socket libraries in Python do not have a timeout. This can manifest as a security problem in different ways including an attacker supplying a URL under his or her control, and which will simply hold an open connection indefinitely.
- URLField redirection – When validating a URL, if the URL uses a redirect no validation of the resulting redirected URL is performed, including basic checks for supported protocols (HTTP, HTTPS and FTP). This creates a small window for an attacker to gain knowledge of, for example, server layout; a redirect to a file:// URL, for example, will tell an attacker whether a given file exists locally on the server.
- Host header cache poisoning – In several places, Django itself, independent of the developer, generates full URLs. Currently this uses the value of the HTTP Host header from the request to construct the URL, which opens a potential cache-poisoning vector: an attacker can submit a request with a Host header of his or her choice, receive a response which constructs URLs using that Host header and, if that response is cached, further requests will be served out of cache using URLs containing the attacker’s host of choice.
The advisories issued discuss different ways in which an attacker could possibly bypass Django’s Cross Site Request Forgery protection mechanism. While not actual bugs in Django itself, they are potential vectors for attack that developers should take into consideration.
According to djangosites.org, Django is used by at least 4000 web sites and the figure is likley to be much higher. All Django users are encouraged to upgrade to the latest versions, and to implement the recommendations in advisories, immediately.