Users are advised to update their installations as soon as possible

Apr 22, 2014 11:05 GMT  ·  By

The developers of the Python framework Django have announced the availability of versions 1.4.11, 1.5.6, 1.6.3 and 1.7 beta 2. These latest releases are part of the company’s security process and they address a total of three issues.

The first issue is an unexpected code execution bug when using the reverse() function. The vulnerability, CVE-2014-0472, has been reported by Benjamin Bach. If certain conditions are met, an attacker can leverage this flaw to execute arbitrary code.

“To remedy this [vulnerability], reverse() will now only accept and import dotted paths based on the view-containing modules listed in the project's URL pattern configuration, so as to ensure that only modules the developer intended to be imported in this fashion can or will be imported,” the Django team explained in its advisory.

The second security hole, CVE-2014-0473, was reported by Paul McMilla. It refers to the fact that the caching of anonymous pages could reveal cross-site request forgery (CSRF) tokens.

The CSRF protection mechanism integrated into Django is based on a random nonce sent to the client in a cookie. The client must send this cookie on future requests. In the case of forms, a hidden value must be submitted back with the form.

However, because of this flaw, an attacker could obtain a valid CSFR cookie and bypass the protection system.

A MySQL typecasting issue has also been fixed. The Ruby on Rails team, specifically Michael Koziarski, has been credited for finding and reporting the bug with the CVE-2014-0474 identifier.

“The MySQL database is known to ‘typecast’ on certain queries; for example, when querying a table which contains string values, but using a query which filters based on an integer value, MySQL will first silently coerce the strings to integers, and return a result based on that,” the advisory reads.

It continues, “If a query is performed without first converting values to the appropriate type, this can produce unexpected results, similar to what would occur if the query itself had been manipulated.”

The vulnerabilities are not critical, but Django users are advised to evaluate their own risk and update their installations as soon as possible. The master development branch, Django 1.7 beta, Django 1.6, Django 1.5 and Django 1.4 are impacted by the flaws.

For additional technical details on these Django security issues, check out the alert published by the Django Software Foundation. You can download Django, the latest versions, from Softpedia’s Scripts section.