Mandriva Linux Security Advisory : python-django (MDVSA-2013:234)

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing a security update.

Description :

A vulnerability has been discovered and corrected in python-django :

Rainer Koirikivi discovered a directory traversal vulnerability with
'ssi' template tags in python-django, a high-level Python web
development framework. It was shown that the handling of the
'ALLOWED_INCLUDE_ROOTS' setting, used to represent allowed prefixes
for the {% ssi %} template tag, is vulnerable to a directory traversal
attack, by specifying a file path which begins as the absolute path of
a directory in 'ALLOWED_INCLUDE_ROOTS', and then uses relative paths
to break free. To exploit this vulnerability an attacker must be in a
position to alter templates on the site, or the site to be attacked
must have one or more templates making use of the 'ssi' tag, and must
allow some form of unsanitized user input to be used as an argument to
the 'ssi' tag (CVE-2013-4315).

The updated packages have been patched to correct this issue.

Solution :

Update the affected python-django package.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Mandriva Local Security Checks

Nessus Plugin ID: 69892 ()

Bugtraq ID: 62332

CVE ID: CVE-2013-4315

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now