CVE-2012-4520

Advisory

The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4520
• https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e
• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145
• http://www.osvdb.org/86493
• https://www.djangoproject.com/weblog/2012/oct/17/security/
• http://securitytracker.com/id?1027708
• http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html
• http://secunia.com/advisories/51314
• http://secunia.com/advisories/51033
• https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071
• http://www.openwall.com/lists/oss-security/2012/10/30/4
• https://bugzilla.redhat.com/show_bug.cgi?id=865164
• https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3
• http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html
• http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html
• http://ubuntu.com/usn/usn-1632-1
• http://www.debian.org/security/2013/dsa-2634
• http://ubuntu.com/usn/usn-1757-1