exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 8 of 8 RSS Feed

CVE-2016-7401

Status Candidate

Overview

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.

Related Files

Red Hat Security Advisory 2016-2043-01
Posted Oct 10, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-2043-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. The following packages have been upgraded to a newer upstream version: python-django. Security Fix: A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.

tags | advisory, web, arbitrary, python
systems | linux, redhat
advisories | CVE-2016-7401
SHA-256 | 337e96ae15f85191c81c98803d157b836300d3fab4219623a3c2804bbcc57696
Red Hat Security Advisory 2016-2041-01
Posted Oct 10, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-2041-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. The following packages have been upgraded to a newer upstream version: python-django. Security Fix: A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.

tags | advisory, web, arbitrary, python
systems | linux, redhat
advisories | CVE-2016-7401
SHA-256 | ffb5140b97ea40e772d1a6a56fbe55a14ba8af0787beef39d089acd27865f5dc
Red Hat Security Advisory 2016-2039-01
Posted Oct 10, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-2039-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Security Fix: A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.

tags | advisory, web, arbitrary, python
systems | linux, redhat
advisories | CVE-2016-7401
SHA-256 | b4575b33a349292ed0dd60e88eb61906c997d4dd6191a15bc1005cc162073d50
Red Hat Security Advisory 2016-2040-01
Posted Oct 10, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-2040-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Security Fix: A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.

tags | advisory, web, arbitrary, python
systems | linux, redhat
advisories | CVE-2016-7401
SHA-256 | dca66e9ae7d686a5e6a3897352c5575c883dc1c90e3f6720e1f44b78850a62e0
Red Hat Security Advisory 2016-2042-01
Posted Oct 10, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-2042-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. The following packages have been upgraded to a newer upstream version: python-django. Security Fix: A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.

tags | advisory, web, arbitrary, python
systems | linux, redhat
advisories | CVE-2016-7401
SHA-256 | 61e08d297ba261d5ec6dbcfd00170c68ac9f66f3dcac221215d8ac187275a295
Red Hat Security Advisory 2016-2038-01
Posted Oct 10, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-2038-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Security Fix: A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.

tags | advisory, web, arbitrary, python
systems | linux, redhat
advisories | CVE-2016-7401
SHA-256 | 2fdd41bbb3f7aeb60de4d420e4b45cf3a8ff673149e2d9a14d7185b59585dbc3
Ubuntu Security Notice USN-3089-1
Posted Sep 27, 2016
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 3089-1 - Sergey Bobrov discovered that Django incorrectly parsed cookies when being used with Google Analytics. A remote attacker could possibly use this issue to set arbitrary cookies leading to a CSRF protection bypass.

tags | advisory, remote, arbitrary
systems | linux, ubuntu
advisories | CVE-2016-7401
SHA-256 | 1429af6725fcfdc8874b40c166000833bee38d63c06de42ce71e433a12f523fb
Debian Security Advisory 3678-1
Posted Sep 27, 2016
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3678-1 - Sergey Bobrov discovered that cookie parsing in Django and Google Analytics interacted such a way that an attacker could set arbitrary cookies. This allows other malicious web sites to bypass the Cross-Site Request Forgery (CSRF) protections built into Django.

tags | advisory, web, arbitrary, csrf
systems | linux, debian
advisories | CVE-2016-7401
SHA-256 | ca95b0a735b7833fab215c8cd225e9f45f2155853007fe8f4abf34c989e7cc84
Page 1 of 1
Back1Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close