CVE-2011-4140
Published: 19 October 2011
The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
Notes
| Author | Note |
|---|---|
| jdstrand | Upstream does not consider this a bug in Django but instead advises that web servers be properly configured: "To avoid this potential attack, we recommend that users of Django ensure their web-server configuration always validates incoming HTTP Host headers against the expected host name, disallows requests with no Host header, and that the web server not be configured with a catch-all virtual host which forwards requests to a Django application. in addition to the vulnerabilities python-django disclosed, they also posted 3 advisories. 2 of them did not receive a CVE, but this one did. Upstream is not planning on fixing the issue as it is depenedent on an insecure server configuration, as such there is nothing to be done in Ubuntu. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python-django Launchpad, Ubuntu, Debian |
hardy |
Ignored
|
| lucid |
Ignored
|
|
| maverick |
Ignored
|
|
| natty |
Ignored
|
|
| oneiric |
Ignored
|
|
| upstream |
Ignored
|