ESB-2017.2262 - [Win][UNIX/Linux][FreeBSD] Django: Cross-site scripting - Remote with user interaction 2017-09-07

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2262
  Django -- possible XSS in traceback section of technical 500 debug page
                             7 September 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Django
Publisher:         FreeBSD
Operating System:  FreeBSD
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-12794  

Original Bulletin: 
   http://www.vuxml.org/freebsd/aaab03be-932d-11e7-92d8-4b26fc968492.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than FreeBSD. It is recommended that administrators
         running Django check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

Django -- possible XSS in traceback section of technical 500 debug page

Affected packages

py27-django110 < 1.10.8

py34-django110 < 1.10.8

py35-django110 < 1.10.8

py36-django110 < 1.10.8

py27-django111 < 1.11.5

py34-django111 < 1.11.5

py35-django111 < 1.11.5

py36-django111 < 1.11.5

Details

VuXML ID aaab03be-932d-11e7-92d8-4b26fc968492

Discovery 2017-09-05

Entry 2017-09-06

Django blog:

In older versions, HTML autoescaping was disabled in a portion of the template
for the technical 500 debug page. Given the right circumstances, this allowed
a cross-site scripting attack. This vulnerability shouldn't affect most 
production sites since you shouldn't run with DEBUG = True (which makes this 
page accessible) in your production settings.

[source]

References

CVE Name CVE-2017-12794

URL https://www.djangoproject.com/weblog/2017/sep/05/security-releases/

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWbDl54x+lLeg9Ub1AQin2A//UFWht0x9Tu481Io3f58pZLYRuTOo+MPX
SaLpu66Bp+//wK3WA4l6+tKfVZoH/7ZGE+flYcYLjiWljbRR6BMhDQK1Z/Au6AXq
C78bqtdqs1bOScFkhRSayi1z9vJZyZTp0dL1Jq4ICP8WhXqkrq1POlwOj4jLpOLP
8o+iRyqnYy5QhmiR9ny7vqttwsSJlzNP5PM0poB7jkYVEd5asAWyOvX63qFniRdG
VUZmBdDJyGY2DuMtpeJSEJeiGvSjLqTWl5w2cfFwEMgfzxLqjUVkwkorxlpYrb7U
cFA/+OQ5XUugs59qiWP4OKe5kFFh9lStpgAFuFWjvKYGtDJN5CaI9P85PUHct28x
aOjhAbkYyXwvxs5XcxY94Tq+GaosCVWgm9tKXRZ/ULvtoYb4YjDTcEEMGSTwA1JX
Ijrcc4V5LG2Df1l20jCw6bxb6/oPvsQyCasLH+eSN9q0TuLPaLMrJ0BzxJoRIi0x
8wc5aY0Ce37uW/c7NoXjW5Lnqa6BubOfEHlFkV/nygQeNDWZQpae+hYPSv0q7rYp
P+gQEqeLGb9WycOLECTR2n6UEcyH9g2M/wy0lY0koCoaKI+deJ/E3tx6OxYpUO83
aE1YP1+b+1GGePmN8vq9oZdYVNescwz+JFZxC/GfCapGlyZ18O2AVPoYOWIfmcJ4
zfo5j7fRZpI=
=Ks6m
-----END PGP SIGNATURE-----

« Back to bulletins