Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 336594 (CVE-2010-3082) - =dev-python/django-1.2* XSS via csrf_token (CVE-2010-3082)
Summary: =dev-python/django-1.2* XSS via csrf_token (CVE-2010-3082)
Status: RESOLVED FIXED
Alias: CVE-2010-3082
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://www.djangoproject.com/weblog/2...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-09-09 13:42 UTC by Albert W. Hopkins
Modified: 2010-09-23 20:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Albert W. Hopkins 2010-09-09 13:42:42 UTC
FYI there is an security issue found in django 1.2.1.  A fix has been applied to django 1.2.2:

http://www.djangoproject.com/weblog/2010/sep/08/security-release/
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-09-09 14:17:39 UTC
Summary from $URL:
The provided template tag for inserting the CSRF token into forms -- {% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is. Thus, an attacker who is able to tamper with the value of the CSRF cookie can cause arbitrary content to be inserted, unescaped, into the outgoing HTML of the form, enabling cross-site scripting (XSS) attacks.

Affected versions:
=dev-python/django-1.2* (~arch only)
Comment 2 Albert W. Hopkins 2010-09-11 22:34:39 UTC
Django 1.2.3 has been released. This release deals with some issues caused by Django 1.2.2.

See
http://www.djangoproject.com/weblog/2010/sep/10/123/
Comment 3 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-09-22 19:39:57 UTC
dev-python/django-1.2.3 has been added to the tree. Vulnerable versions have been deleted.
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2010-09-23 20:06:54 UTC
thanks, closing without glsa.