Operating System:

[WIN][UNIX/Linux]

Published:

09 March 2016

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ASB-2016.0026 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2016.0026
          Multiple vulnerabilities have been identified in Django
                    prior to releases 1.8.10 and 1.9.3
                               9 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Django
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Provide Misleading Information -- Remote with User Interaction
                      Reduced Security               -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2016-2513 CVE-2016-2512 
Member content until: Friday, April  8 2016

OVERVIEW

        Multiple vulnerabilities have been identified in Django prior to 
        releases 1.8.10 and 1.9.3. [1]


IMPACT

        Django has provided the following details regarding the 
        vulnerabilities:
        
        "CVE-2016-2512: Malicious redirect and possible XSS attack via 
        user-supplied redirect URLs containing basic auth
        
        Django relies on user input in some cases (e.g. 
        django.contrib.auth.views.login() and i18n) to redirect the user to
        an "on success" URL. The security check for these redirects (namely
        django.utils.http.is_safe_url()) considered some URLs with basic 
        authentication credentials "safe" when they shouldn't be.
        
        For example, a URL like http://mysite.example.com\@attacker.com 
        would be considered safe if the request's host is 
        http://mysite.example.com, but redirecting to this URL sends the 
        user to attacker.com.
        
        Also, if a developer relies on is_safe_url() to provide safe 
        redirect targets and puts such a URL into a link, they could suffer
        from an XSS attack." [1]
        
        "CVE-2016-2513: User enumeration through timing difference on 
        password hasher work factor upgrade
        
        In each major version of Django since 1.6, the default number of 
        iterations for the PBKDF2PasswordHasher and its subclasses has 
        increased. This improves the security of the password as the speed 
        of hardware increases, however, it also creates a timing difference
        between a login request for a user with a password encoded in an 
        older number of iterations and login request for a nonexistent user
        (which runs the default hasher's default number of iterations since
        Django 1.6).
        
        This only affects users who haven't logged in since the iterations 
        were increased. The first time a user logs in after an iterations 
        increase, their password is updated with the new iterations and 
        there is no longer a timing difference." [1]


MITIGATION

        Django encourages all users to update to the latest release to fix 
        thes issues. [1]


REFERENCES

        [1] Django security releases issued: 1.9.3 and 1.8.10
            https://www.djangoproject.com/weblog/2016/mar/01/security-releases/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVt+7G36ZAP0PgtI9AQIb3BAAl1ypH6wmULOCleUJsi2LOilwN3Mxj5ij
JxL3F9rV4ym6JADzkskspicKW/ajKI4HcAmEMrWjbzNkOSCX/I4tfDSEcLMdWTsP
4TYxRW863Dz5Fv27DE2O2oHcUO7Mug+kb0PidWqiiPfwDXMD1OHVTc4xRSYCHqJm
OHYaqqUPuUZNBc0BRmkZfddDw7xm1r8wU02YvhkGtjxAZec9Ihwq2qGnzcHlno8X
/5OnhB6DQxe+rS5CHiyG8+qkrKJSdfdNeqHfgboyV/v72+05aknBAtDleslJm4Gv
EH8cVVc6NN4zjryTLNCfsPd2IKaSo2OmvricyM1WIWWkANkuYW5zDB+LEw/7qB20
zAbrDYYniAgIJvSUzV4A+dj61gqUJnb7LGAzudHs4Jh7RaWmSvgSvCGgnIkgQ0pZ
FSvDa5zr9EYbvHGff3xYJ2XqBvYwxdYMgjk4zJZ/mvRAe1Q5OCZjGRfwXkxizm9F
15yFYF4CxnF+iZscwdM/8NT14bjaIUGe3kaNmOi2vuT39opHZp/2m8T3yRiB6x+u
3rO2yAqAre7xa+YOwdgbOm0zmEwPyylZBMzZ9KtcyBZYc5ONe+mak/BYatOfzgaK
degzo7DeH3I1ZKjy1pWerbUW1goaL9HVD11RcVH2uZ6UhwUkpp7aFWiptYPwbgDe
36//J4c4bCI=
=UzIW
-----END PGP SIGNATURE-----