Debian DSA-2755-1 : python-django - directory traversal

2013-09-1200:00:00

www.tenable.com

Rainer Koirikivi discovered a directory traversal vulnerability with’ssi’ template tags in python-django, a high-level Python web development framework.

It was shown that the handling of the ‘ALLOWED_INCLUDE_ROOTS’ setting, used to represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a directory traversal attack, by specifying a file path which begins as the absolute path of a directory in’ALLOWED_INCLUDE_ROOTS’, and then uses relative paths to break free.

To exploit this vulnerability an attacker must be in a position to alter templates on the site, or the site to be attacked must have one or more templates making use of the ‘ssi’ tag, and must allow some form of unsanitized user input to be used as an argument to the ‘ssi’ tag.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-2755. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(69848);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");

  script_cve_id("CVE-2013-4315");
  script_xref(name:"DSA", value:"2755");

  script_name(english:"Debian DSA-2755-1 : python-django - directory traversal");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Rainer Koirikivi discovered a directory traversal vulnerability
with'ssi' template tags in python-django, a high-level Python web
development framework.

It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting,
used to represent allowed prefixes for the {% ssi %} template tag, is
vulnerable to a directory traversal attack, by specifying a file path
which begins as the absolute path of a directory
in'ALLOWED_INCLUDE_ROOTS', and then uses relative paths to break free.

To exploit this vulnerability an attacker must be in a position to
alter templates on the site, or the site to be attacked must have one
or more templates making use of the 'ssi' tag, and must allow some
form of unsanitized user input to be used as an argument to the 'ssi'
tag."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/squeeze/python-django"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/wheezy/python-django"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2013/dsa-2755"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the python-django packages.

For the oldstable distribution (squeeze), this problem has been fixed
in version 1.2.3-3+squeeze7.

For the stable distribution (wheezy), this problem has been fixed in
version 1.4.5-1+deb7u3."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-django");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2013/09/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/12");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"6.0", prefix:"python-django", reference:"1.2.3-3+squeeze7")) flag++;
if (deb_check(release:"6.0", prefix:"python-django-doc", reference:"1.2.3-3+squeeze7")) flag++;
if (deb_check(release:"7.0", prefix:"python-django", reference:"1.4.5-1+deb7u3")) flag++;
if (deb_check(release:"7.0", prefix:"python-django-doc", reference:"1.4.5-1+deb7u3")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

VendorProductVersionCPE
debiandebian_linuxpython-djangop-cpe:/a:debian:debian_linux:python-django
debiandebian_linux6.0cpe:/o:debian:debian_linux:6.0
debiandebian_linux7.0cpe:/o:debian:debian_linux:7.0

Vendor	Product	Version	CPE
debian	debian_linux	python-django	p-cpe:/a:debian:debian_linux:python-django
debian	debian_linux	6.0	cpe:/o:debian:debian_linux:6.0
debian	debian_linux	7.0	cpe:/o:debian:debian_linux:7.0