Django Vulnerable to Open Redirects in CommonMiddleware Paving Way for Phishing Attacks

The developers behind the Django Project have released two new versions of the Python Web framework: Django 1.11.15 and Django 2.0.8 following the report by Andreas Hug of an open redirect vulnerability in CommonMiddleware. The vulnerability has been allotted the label CVE-2018-14574 and the released updates successfully resolve the vulnerability present in older versions of Django.

Django is an intricate opensource Python Web framework which is designed for application developers. It is built specifically to cater to the needs of Web developers providing all the fundamental framework so that they don’t need to rewrite the basics. This allows developers to focus solely on developing the code of their own application. The framework is free and open to use. It is also flexible to cater to individual needs and incorporates firm security definitions and corrections to help developers steer clear of security flaws in their programs.

As reported by Hug, the vulnerability is exploited when the “django.middleware.common.CommonMiddleware” and “APPEND_SLASH” settings are up and running simultaneously. As most content management systems follow a pattern in which they accept any URL script that ends with a slash, when such a malicious URL is accessed (which also ends in a slash), it could pose a redirect from the accessed site to another malicious site through which a remote attacker could perform phishing and scamming attacks on the unsuspecting user.

This vulnerability impacts the Django master branch, Django 2.1, Django 2.0, and Django 1.11. As Django 1.10 and older are no longer supported, the developers have not released an update for those versions. Generic wholesome upgrades are recommended for users still utilizing such old versions. The updates just released resolve the vulnerability in Django 2.0 and Django 1.11, with an update for Django 2.1 still pending.

Patches for the, and master release branches have been issued in addition to the whole releases in Django version 1.11.15 (download | checksums) and Django version 2.0.8 (download | checksums). Users are advised to either patch their systems, upgrade their systems to the respective versions, or perform a whole system upgrade to the latest security definitions. These updates are also available through the advisory published on the Django Project website.

Aaron Michael
Aaron Micheal is an electrical engineer by profession and a hard-core gamer by passion. His exceptional experience with computer hardware and profound knowledge in gaming makes him a very competent writer. What makes him unique is his growing interest in the state of the art technologies that motivates him to learn, adopt, and integrate latest techniques into his work.