Bugzilla – Bug 923176
VUL-1: CVE-2015-2317: python-django,python-Django: Django: possible XSS attack via user-supplied redirect URLs
Last modified: 2015-10-12 11:35:48 UTC
https://www.djangoproject.com/weblog/2015/mar/18/security-releases/ Mitigated possible XSS attack via user-supplied redirect URLs Django relies on user input in some cases (e.g. django.contrib.auth.views.login and i18n) to redirect the user to an "on success" URL. The security checks for these redirects (namely django.utils.http.is_safe_url()) accepted URLs with leading control characters and so considered URLs like \x08javascript:... safe. This issue doesn't affect Django currently, since we only put this URL into the Location response header and browsers seem to ignore JavaScript there. Browsers we tested also treat URLs prefixed with control characters such as %08//example.com as relative paths so redirection to an unsafe target isn't a problem either. However, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack as some browsers such as Google Chrome ignore control characters at the start of a URL in an anchor href. Thanks Daniel Chatfield for reporting the issue. This issue has been assigned the identifier CVE-2015-2317.
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (923176) was mentioned in https://build.opensuse.org/request/show/292041 13.2 / python-Django
This is an autogenerated message for OBS integration: This bug (923176) was mentioned in https://build.opensuse.org/request/show/292722 13.2 / python-Django
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-04-08. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61316
openSUSE-SU-2015:0643-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 913053,913055,913056,923172,923176 CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317 Sources used: openSUSE 13.2 (src): python-Django-1.6.11-3.4.1
SUSE-SU-2015:0694-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 923172,923176 CVE References: CVE-2015-2316,CVE-2015-2317 Sources used: SUSE Cloud 5 (src): python-Django-1.6.11-0.7.1
SUSE-SU-2015:0695-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 923176 CVE References: CVE-2015-2316,CVE-2015-2317 Sources used: SUSE Cloud 4 (src): python-django-1.5.12-0.9.1
SUSE-SU-2015:1109-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 913053,913055,913056,923172,923176 CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317 Sources used: SUSE Enterprise Storage 1.0 (src): python-Django-1.6.11-4.1
SUSE-SU-2015:1112-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 913053,913055,913056,923172,923176 CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317 Sources used: SUSE Enterprise Storage 1.0 (src): python-Django-1.6.11-4.1
This is an autogenerated message for OBS integration: This bug (923176) was mentioned in https://build.opensuse.org/request/show/330037 13.1 / python-django
This is an autogenerated message for OBS integration: This bug (923176) was mentioned in https://build.opensuse.org/request/show/330056 13.1 / python-django
openSUSE-SU-2015:1598-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 913053,913054,913055,913056,914706,923176,941587 CVE References: CVE-2015-0219,CVE-2015-0220,CVE-2015-0221,CVE-2015-0222,CVE-2015-2317,CVE-2015-5963 Sources used: openSUSE 13.1 (src): python-django-1.5.12-0.2.11.1
according to comment 8 this was already fixed