Using Components with Known Vulnerabilities

Description

Almost any medium-large scale software project uses several external libraries to simplify development. In web development, libraries are common on the server (Django, Ruby on Rails, etc) and on the client (jQuery, AngularJS, etc). If such libraries are used, it is important to make sure they are up to date to avoid allowing your application to become vulnerable as bugs are discovered.

Virtually every application has issues with vulnerable components because most development teams do not focus on ensuring their components are up to date. In many cases, the developers do not even know all the components they are using, due to unexpected factors like component dependencies.

Bug

The application validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly. In turn, this allows remote attackers to conduct cross-site scripting attacks via a control character in a URL.

Solution

The validation in is_safe_url() has been tightened in django versions before 1.7.7, and 1.8x before 1.8c1. Make sure that you have the latest version of Django installed. If you're using pip, you can check for outdated packages using the pip list --outdated command.

You can view the Django commit fixing this issue in version 1.7 or version 1.8.

Hint

Make sure that you have the latest version of Django installed.