Django cross-site scripting and two Denial-of-Service Vulnerabilities

Release date:
Updated on: 2012-08-01

Affected Systems:
Django 1.4.x
Django 1.3.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 54729
Cve id: CVE-2012-3442, CVE-2012-3443, CVE-2012-3444

Django is an open-source Web application framework driven by Python programming language.

Django 1.3, 1.4, and other versions have two security vulnerabilities, which can be exploited by malicious users to perform cross-site scripting attacks and denial of service.

1) Verify the input passed in the redirection function attempted by login () or logout () in the framework and return it to the user if it is not properly filtered after being redirected to "data:" scheme URL.

2) When extracting the image, there is an error in the image verification in the ImageField class, which can be exploited to consume a large amount of memory resources.

3) An error occurred while calculating the image size in the ImageFile class. You can consume server resources and cause the application to stop responding.

<* Source: Jeroen Dekkers

Link: http://secunia.com/advisories/50021/
Https://www.djangoproject.com/weblog/2012/
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Django
------
Django has released a Security Bulletin (jul) and corresponding patches for this purpose:

Jul: Cross-site scripting in authentication views

Link: https://www.djangoproject.com/weblog/2012/