Django 'django.views.static.serve()' Function Open Redirection Vulnerability



Django is prone to an open-redirection vulnerability because it fails to properly sanitize user-supplied input.

An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.

Versions prior to Django 1.10.7, 1.9.13, and 1.8.18 are vulnerable.

Information

Bugtraq ID: 97401
Class: Input Validation Error
CVE: CVE-2017-7234

Remote: Yes
Local: No
Published: Apr 04 2017 12:00AM
Credit: Phithon Gong
Vulnerable: Djangoproject Django 1.10.6
Djangoproject Django 1.10.5
Djangoproject Django 1.10.3
Djangoproject Django 1.10.2
Djangoproject Django 1.10.1
Djangoproject Django 1.9.12
Djangoproject Django 1.9.11
Djangoproject Django 1.9.10
Djangoproject Django 1.9.9
Djangoproject Django 1.9.3
Djangoproject Django 1.8.16
Djangoproject Django 1.8.15
Djangoproject Django 1.8.14
Djangoproject Django 1.8.10
Djangoproject Django 1.8.7
Djangoproject Django 1.8.6
Djangoproject Django 1.8.5
Djangoproject Django 1.8.4
Djangoproject Django 1.8.3
Djangoproject Django 1.8.2
Djangoproject Django 1.8.1
Djangoproject Django 1.8
Djangoproject Django 1.9.2
Djangoproject Django 1.9.1
Djangoproject Django 1.9
Djangoproject Django 1.10


Not Vulnerable: Djangoproject Django 1.10.7
Djangoproject Django 1.9.13
Djangoproject Django 1.8.18


Exploit


An attacker can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.


Related Posts

Comments