Debian Linux Security Advisory 2163-2 - The changes in python-django DSA-2163 necessary to fix the issues CVE-2011-0696 and CVE-2011-0697 introduced an unavoidable backward incompatibility, which caused a regression in dajaxice, which depends on python-django. This update supplies fixed packages for dajaxice.
641929e40a00a7714aad93d3dab94f2b66a080094f8e3369c64df3bfdc53dfdfMandriva Linux Security Advisory 2011-031 - Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery attacks via forged AJAX requests that leverage a combination of browser plugins and redirects, a related issue to CVE-2011-0447. Cross-site scripting vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload. Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / character in a key in a session cookie, related to session replays. The updated packages have been upgraded to the 1.1.4 version which is not vulnerable to these issues.
35b66525c38b4cc2dbc7f00656d49770e63010bc4caa8000a032054d2a571b32Ubuntu Security Notice 1066-1 - It was discovered that Django did not properly validate HTTP requests that contain an X-Requested-With header. An attacker could exploit this vulnerability to perform cross-site request forgery (CSRF) attacks. It was discovered that Django did not properly sanitize its input when performing file uploads, resulting in cross-site scripting (XSS) vulnerabilities. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain.
36104c4235322ded05ccaa17185d640b3a46aa379d05468d669681ba9cf4de86Debian Linux Security Advisory 2163-1 - Several vulnerabilities were discovered in the django web development framework. For several reasons the internal CSRF protection was not used to validate ajax requests in the past. However, it was discovered that this exception can be exploited with a combination of browser plugins and redirects and thus is not sufficient. It was discovered that the file upload form is prone to cross-site scripting attacks via the file name.
87f72613c0e91642c24a6eeecfcb0c3c15c5c30e179f7d4f7a4e7cdd06c9d13a
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed