This article describes the Django vulnerabilities CVE-2020-13254 and CVE-2020-13596, which were fixed on June 3, 2020.
See below for release information on the official website:
Django security releases issued: 3.0.7 and 2.2.13 | Weblog | Django
Affected Versions
The following versions are affected.
- Django master branch
- Django 3.1
- Django 3.0
- Django 2.2
Vulnerability Description(Potential Account Hijack via Password Reset Form)
CVE-2020-13254: Potential data leakage via malformed memcached keys
If you are using memcached, you can cause a data breach by passing an invalid key.
CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget
There is an XSS vulnerability in the query parameters generated by ForeignKeyRawIdWidget
on admin.
This vulnerability can be exploited if the model has a ForeignKey.limit_choices_to or The ManyToManyField.limit_choices_to is specified. field.
Proof of Concept
The version of the environment used in the sample code is as follows:
- Django 3.0.6
- pylibmc 1.6.1
- Python 3.8.3
- memcached 1.6.6
- libmemcached 1.0.18
CVE-2020-13254: Potential data leakage via malformed memcached keys
First, edit settings.py
as described in the official documentation. Here is an example configuration:
|
|
Then, run the following on the shell
command:
|
|
The last cache.get('my_key' + c)
should return None
. can get the value set by the 'my_key'
key and return the value of `hello, world! I’m done.
The last cache.get('my_key' + c)
should return None
. But I was able to get the value hello, world!
set by the 'my_key'
key.
CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget
You will need the following code:
example/models.py
|
|
example/admin.py
|
|
Create a database by makemigrations
and migrate
command, and create an admin user by createsuperuser
command.
The shell
command creates the following data:
|
|
Run the runserver
command to start up the development server and create UnsafeLimitChoicesTo
from the following URL. Set Band
to 1
:
http://127.0.0.1:8000/admin/example/unsafelimitchoicesto/add/
View the data after registration and check the HTML of the following magnifying glass button (in the red box).
The "&><escapeme
part is embedded without escaping, as shown below:
|
|
If you write a value like '"></a><script>alert(\'XSS\');</script><a href="'
in limit_choices_to
, you can put a script in admin.
Which Code Was Wrong and How It Was Fixed
The actual changes can be found in the GitHub code below:
CVE-2020-13254:
- On the master branch
- On the 3.1 release branch
- On the 3.0 release branch
- On the 2.2 release branch
CVE-2020-13596:
- On the master branch
- On the 3.1 release branch
- On the 3.0 release branch
- On the 2.2 release branch
CVE-2020-13254: Potential data leakage via malformed memcached keys
django.core.cache.backends.memcached.BaseMemcachedCache
passes the input value directly to memcached, and the It was.
So, we add the validate_key
method to check the input value, and if an invalid value is found, the the key is not passed to memcached, but instead a warning message is output if the It was.
In Django 3.0.7, running the code listed in the “Proof of Concept” section above, we found The following message will be displayed:
|
|
CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget
In django.contrib.admin.widgets.ForeignKeyRawIdWidget.get_context
, This was due to passing the related_url
variable (used to embed the value of limit_choices_to
into the magnifying glass button) using the django.utils.safestring.mark_safe
function. The value using django.utils.safestring.mark_safe
is It will not be escaped on the template.
The modified code now uses django.utils.http.urlencode
instead of django.utils.safestring.mark_safe
.
In Django 3.0.7, running the code listed in the “Proof of Concept” section above, you can find that The "&><escapeme
will now be escaped:
|
|