exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 8 of 8 RSS Feed

CVE-2016-7401

Status Candidate

Overview

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.

Related Files

Red Hat Security Advisory 2016-2043-01
Posted Oct 10, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-2043-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. The following packages have been upgraded to a newer upstream version: python-django. Security Fix: A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.

tags | advisory, web, arbitrary, python
systems | linux, redhat
advisories | CVE-2016-7401
SHA-256 | 337e96ae15f85191c81c98803d157b836300d3fab4219623a3c2804bbcc57696
Red Hat Security Advisory 2016-2041-01
Posted Oct 10, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-2041-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. The following packages have been upgraded to a newer upstream version: python-django. Security Fix: A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.

tags | advisory, web, arbitrary, python
systems | linux, redhat
advisories | CVE-2016-7401
SHA-256 | ffb5140b97ea40e772d1a6a56fbe55a14ba8af0787beef39d089acd27865f5dc
Red Hat Security Advisory 2016-2039-01
Posted Oct 10, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-2039-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Security Fix: A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.

tags | advisory, web, arbitrary, python
systems | linux, redhat
advisories | CVE-2016-7401
SHA-256 | b4575b33a349292ed0dd60e88eb61906c997d4dd6191a15bc1005cc162073d50
Red Hat Security Advisory 2016-2040-01
Posted Oct 10, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-2040-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Security Fix: A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.

tags | advisory, web, arbitrary, python
systems | linux, redhat
advisories | CVE-2016-7401
SHA-256 | dca66e9ae7d686a5e6a3897352c5575c883dc1c90e3f6720e1f44b78850a62e0
Red Hat Security Advisory 2016-2042-01
Posted Oct 10, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-2042-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. The following packages have been upgraded to a newer upstream version: python-django. Security Fix: A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.

tags | advisory, web, arbitrary, python
systems | linux, redhat
advisories | CVE-2016-7401
SHA-256 | 61e08d297ba261d5ec6dbcfd00170c68ac9f66f3dcac221215d8ac187275a295
Red Hat Security Advisory 2016-2038-01
Posted Oct 10, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-2038-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Security Fix: A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.

tags | advisory, web, arbitrary, python
systems | linux, redhat
advisories | CVE-2016-7401
SHA-256 | 2fdd41bbb3f7aeb60de4d420e4b45cf3a8ff673149e2d9a14d7185b59585dbc3
Ubuntu Security Notice USN-3089-1
Posted Sep 27, 2016
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 3089-1 - Sergey Bobrov discovered that Django incorrectly parsed cookies when being used with Google Analytics. A remote attacker could possibly use this issue to set arbitrary cookies leading to a CSRF protection bypass.

tags | advisory, remote, arbitrary
systems | linux, ubuntu
advisories | CVE-2016-7401
SHA-256 | 1429af6725fcfdc8874b40c166000833bee38d63c06de42ce71e433a12f523fb
Debian Security Advisory 3678-1
Posted Sep 27, 2016
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3678-1 - Sergey Bobrov discovered that cookie parsing in Django and Google Analytics interacted such a way that an attacker could set arbitrary cookies. This allows other malicious web sites to bypass the Cross-Site Request Forgery (CSRF) protections built into Django.

tags | advisory, web, arbitrary, csrf
systems | linux, debian
advisories | CVE-2016-7401
SHA-256 | ca95b0a735b7833fab215c8cd225e9f45f2155853007fe8f4abf34c989e7cc84
Page 1 of 1
Back1Next

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close