Vulnerabilities > CVE-2009-3695 - Remote Denial of Service vulnerability in Django 'EmailField' and 'URLField'
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1905.NASL description The forms library of python-django, a high-level Python web development framework, is using a badly chosen regular expression when validating email addresses and URLs. An attacker can use this to perform denial of service attacks (100% CPU consumption) due to bad backtracking via a specially crafted email address or URL which is validated by the django forms library. python-django in the oldstable distribution (etch), is not affected by this problem. last seen 2020-06-01 modified 2020-06-02 plugin id 44770 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44770 title Debian DSA-1905-1 : python-django - insufficient input validation code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1905. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(44770); script_version("1.9"); script_cvs_date("Date: 2019/08/02 13:32:22"); script_cve_id("CVE-2009-3695"); script_xref(name:"DSA", value:"1905"); script_name(english:"Debian DSA-1905-1 : python-django - insufficient input validation"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "The forms library of python-django, a high-level Python web development framework, is using a badly chosen regular expression when validating email addresses and URLs. An attacker can use this to perform denial of service attacks (100% CPU consumption) due to bad backtracking via a specially crafted email address or URL which is validated by the django forms library. python-django in the oldstable distribution (etch), is not affected by this problem." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2009/dsa-1905" ); script_set_attribute( attribute:"solution", value: "Upgrade the python-django packages. For the stable distribution (lenny), this problem has been fixed in version 1.0.2-1+lenny2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-django"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/10/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"5.0", prefix:"python-django", reference:"1.0.2-1+lenny2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_87917D6FBA7611DEBAC2001A4D563A0F.NASL description Django project reports : Django last seen 2020-06-01 modified 2020-06-02 plugin id 42170 published 2009-10-19 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42170 title FreeBSD : django -- denial-of-service attack (87917d6f-ba76-11de-bac2-001a4d563a0f) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-276.NASL description Multiple vulnerabilities has been found and corrected in python-django : The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected static media files, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL (CVE-2009-2659). Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression (CVE-2009-3695). The versions of Django shipping with Mandriva Linux have been updated to the latest patched version that include the fix for this issue. In addition, they provide other bug fixes. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers last seen 2020-06-01 modified 2020-06-02 plugin id 42131 published 2009-10-15 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42131 title Mandriva Linux Security Advisory : python-django (MDVSA-2009:276-1)
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550457
- http://groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/
- http://secunia.com/advisories/36948
- http://secunia.com/advisories/36968
- http://www.debian.org/security/2009/dsa-1905
- http://www.djangoproject.com/weblog/2009/oct/09/security/
- http://www.openwall.com/lists/oss-security/2009/10/13/6
- http://www.securityfocus.com/bid/36655
- http://www.vupen.com/english/advisories/2009/2871
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53727