what you don't know can hurt you
Showing 1 - 3 of 3 RSS Feed

CVE-2013-0305

Status Candidate

Overview

The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.

Related Files

Red Hat Security Advisory 2013-0670-01
Posted Mar 21, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-0670-01 - The Django web framework is used by Horizon, the OpenStack Dashboard, which is a web interface for managing OpenStack services. A denial of service flaw was found in the Extensible Markup Language parser used by Django. A remote attacker could use this flaw to send a specially-crafted request to an Horizon API, causing Horizon to consume an excessive amount of CPU and memory. A flaw was found in the XML parser used by Django. If a remote attacker sent a specially-crafted request to an Horizon API, it could cause Horizon to connect to external entities, causing a large amount of system load, or allow an attacker to read files on the Horizon server that are accessible to the user running Horizon.

tags | advisory, remote, web, denial of service
systems | linux, redhat
advisories | CVE-2013-0305, CVE-2013-0306, CVE-2013-1664, CVE-2013-1665
MD5 | 49537345135999b8af310a8ec3b69681
Ubuntu Security Notice USN-1757-1
Posted Mar 8, 2013
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1757-1 - James Kettle discovered that Django did not properly filter the Host HTTP header when processing certain requests. An attacker could exploit this to generate and display arbitrary URLs to users. Although this issue had been previously addressed in USN-1632-1, this update adds additional hardening measures to host header validation. This update also adds a new ALLOWED_HOSTS setting that can be set to a list of acceptable values for headers. Orange Tsai discovered that Django incorrectly performed permission checks when displaying the history view in the admin interface. An administrator could use this flaw to view the history of any object, regardless of intended permissions. Various other issues were also addressed.

tags | advisory, web, arbitrary
systems | linux, ubuntu
advisories | CVE-2012-4520, CVE-2013-0305, CVE-2013-0306, CVE-2013-1665, CVE-2012-4520, CVE-2013-0305, CVE-2013-0306, CVE-2013-1664, CVE-2013-1665
MD5 | 87e3a12e74a5e44e819568675aa4d16a
Debian Security Advisory 2634-1
Posted Feb 27, 2013
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2634-1 - Several vulnerabilities have been discovered in python-django, a high-level python web development framework.

tags | advisory, web, vulnerability, python
systems | linux, debian
advisories | CVE-2012-4520, CVE-2013-0305, CVE-2013-0306, CVE-2013-1665
MD5 | ec59d53a4cee74e8933db14c4354a884
Page 1 of 1
Back1Next

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close