FreeBSD : django -- multiple vulnerabilities (5f326d75-1db9-11e2-bc8f-d0df9acfd7e5)

Medium Nessus Plugin ID 62705


The remote FreeBSD host is missing one or more security-related updates.


The Django Project reports :

- Host header poisoning

Some parts of Django -- independent of end-user-written applications
-- make use of full URLs, including domain name, which are generated from the HTTP Host header. Some attacks against this are beyond Django's ability to control, and require the web server to be properly configured; Django's documentation has for some time contained notes advising users on such configuration.

Django's own built-in parsing of the Host header is, however, still vulnerable, as was reported to us recently. The Host header parsing in Django 1.3 and Django 1.4 -- specifically, django.http.HttpRequest.get_host() -- was incorrectly handling username/password information in the header. Thus, for example, the following Host header would be accepted by Django when running on '' :

Host:[email protected]

Using this, an attacker can cause parts of Django -- particularly the password-reset mechanism -- to generate and display arbitrary URLs to users.

To remedy this, the parsing in HttpRequest.get_host() is being modified; Host headers which contain potentially dangerous content (such as username/password pairs) now raise the exception django.core.exceptions.SuspiciousOperation.

- Documentation of HttpOnly cookie option

As of Django 1.4, session cookies are always sent with the HttpOnly flag, which provides some additional protection from cross-site scripting attacks by denying client-side scripts access to the session cookie.

Though not directly a security issue in Django, it has been reported that the Django 1.4 documentation incorrectly described this change, by claiming that this was now the default for all cookies set by the HttpResponse.set_cookie() method.

The Django documentation has been updated to reflect that this only applies to the session cookie. Users of Django are encouraged to review their use of set_cookie() to ensure that the HttpOnly flag is being set or unset appropriately.


Update the affected packages.

See Also

Plugin Details

Severity: Medium

ID: 62705

File Name: freebsd_pkg_5f326d751db911e2bc8fd0df9acfd7e5.nasl

Version: $Revision: 1.3 $

Type: local

Published: 2012/10/26

Modified: 2013/06/21

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:django, p-cpe:/a:freebsd:freebsd:django13, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2012/10/24

Vulnerability Publication Date: 2012/10/17

Reference Information

CVE: CVE-2012-4520