Input validation error in Django

1) Input validation error

EUVDB-ID: #VU43328

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2012-4520

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Django: 1.3 - 1.4.1

CPE2.3

• cpe:2.3:a:django_software_foundation:django:1.4.1:*:*:*:*:*:*:*

External links

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145
https://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html
https://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html
https://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html
https://secunia.com/advisories/51033
https://secunia.com/advisories/51314
https://securitytracker.com/id?1027708
https://ubuntu.com/usn/usn-1632-1
https://ubuntu.com/usn/usn-1757-1
https://www.debian.org/security/2013/dsa-2634
https://www.openwall.com/lists/oss-security/2012/10/30/4
https://www.osvdb.org/86493
https://bugzilla.redhat.com/show_bug.cgi?id=865164
https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3
https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e
https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071
https://www.djangoproject.com/weblog/2012/oct/17/security/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.