Django Denial of Service and Information Leakage Vulnerability

Release date:
Updated on:

Affected Systems:
Django 1.4.x
Django 1.3.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 58061
CVE (CAN) ID: CVE-2013-0305, CVE-2013-0306
 
Django is an open-source Web application framework driven by Python programming language.
 
Django versions earlier than 1.3.6 and 1.4.4 have multiple vulnerabilities in implementation, which can be exploited by malicious users to bypass certain security restrictions and cause DOS.
 
1. There is an error when scaling XML entities. using specially crafted XML containing malicious attributes can consume a large amount of memory.
 
2. An error occurs when processing some XML data. Sensitive information can be leaked by including specially crafted XML data referenced by external entities.
 
3. When accessing the history view, the administrator interface does not correctly verify the access permission. You can view the access history of objects in the management interface.
 
4. An error exists in the form set when processing form submission. By submitting a specially crafted form, a large amount of memory is consumed and the application is unavailable.
 
<* Source: Orange Tsai

Link: https://www.djangoproject.com/weblog/2013/feb/19/security/
Http://secunia.com/advisories/52243/
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Django
------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
 
Https://www.djangoproject.com/m/releases/1.3/Django-1.3.6.tar.gz