[3.1] py-django: Multiple security issues (CVE-2016-2512, CVE-2016-2513)
CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login() and i18n) to redirect the user to an
“on success” URL.
The security check for these redirects (namely
django.utils.http.is_safe_url()) considered some URLs with basic
authentication credentials “safe” when they shouldn’t be.
CVE-2016-2513: User enumeration through timing difference on password hasher work factor upgrade
In each major version of Django since 1.6, the default number of
iterations for the PBKDF2PasswordHasher and its subclasses has
increased.
This improves the security of the password as the speed of hardware
increases, however, it also creates a timing difference between a
login
request for a user with a password encoded in an older number of
iterations and login request for a nonexistent user (which runs the
default hasher’s default number of iterations since Django 1.6).
Fixed In Version:
python-django 1.8.10, python-django 1.9.3
References:
https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
Patches:
On the 1.8 release branch:
https://github.com/django/django/commit/382ab137312961ad62feb8109d70a5a581fe8350
(CVE-2016-2512)
https://github.com/django/django/commit/f4e6e02f7713a6924d16540be279909ff4091eb6
(CVE-2016-2513)
(from redmine: issue id 5318, created on 2016-03-23, closed on 2016-06-14)
- Relations:
- parent #5314 (closed)