CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
77.3%
Rainer Koirikivi discovered a directory traversal vulnerability withโssiโ template tags in python-django, a high-level Python web development framework.
It was shown that the handling of the โALLOWED_INCLUDE_ROOTSโ setting, used to represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a directory traversal attack, by specifying a file path which begins as the absolute path of a directory inโALLOWED_INCLUDE_ROOTSโ, and then uses relative paths to break free.
To exploit this vulnerability an attacker must be in a position to alter templates on the site, or the site to be attacked must have one or more templates making use of the โssiโ tag, and must allow some form of unsanitized user input to be used as an argument to the โssiโ tag.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DSA-2755. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(69848);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");
script_cve_id("CVE-2013-4315");
script_xref(name:"DSA", value:"2755");
script_name(english:"Debian DSA-2755-1 : python-django - directory traversal");
script_summary(english:"Checks dpkg output for the updated package");
script_set_attribute(
attribute:"synopsis",
value:"The remote Debian host is missing a security-related update."
);
script_set_attribute(
attribute:"description",
value:
"Rainer Koirikivi discovered a directory traversal vulnerability
with'ssi' template tags in python-django, a high-level Python web
development framework.
It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting,
used to represent allowed prefixes for the {% ssi %} template tag, is
vulnerable to a directory traversal attack, by specifying a file path
which begins as the absolute path of a directory
in'ALLOWED_INCLUDE_ROOTS', and then uses relative paths to break free.
To exploit this vulnerability an attacker must be in a position to
alter templates on the site, or the site to be attacked must have one
or more templates making use of the 'ssi' tag, and must allow some
form of unsanitized user input to be used as an argument to the 'ssi'
tag."
);
script_set_attribute(
attribute:"see_also",
value:"https://packages.debian.org/source/squeeze/python-django"
);
script_set_attribute(
attribute:"see_also",
value:"https://packages.debian.org/source/wheezy/python-django"
);
script_set_attribute(
attribute:"see_also",
value:"https://www.debian.org/security/2013/dsa-2755"
);
script_set_attribute(
attribute:"solution",
value:
"Upgrade the python-django packages.
For the oldstable distribution (squeeze), this problem has been fixed
in version 1.2.3-3+squeeze7.
For the stable distribution (wheezy), this problem has been fixed in
version 1.4.5-1+deb7u3."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-django");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
script_set_attribute(attribute:"patch_publication_date", value:"2013/09/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/12");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Debian Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"6.0", prefix:"python-django", reference:"1.2.3-3+squeeze7")) flag++;
if (deb_check(release:"6.0", prefix:"python-django-doc", reference:"1.2.3-3+squeeze7")) flag++;
if (deb_check(release:"7.0", prefix:"python-django", reference:"1.4.5-1+deb7u3")) flag++;
if (deb_check(release:"7.0", prefix:"python-django-doc", reference:"1.4.5-1+deb7u3")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | python-django | p-cpe:/a:debian:debian_linux:python-django |
debian | debian_linux | 6.0 | cpe:/o:debian:debian_linux:6.0 |
debian | debian_linux | 7.0 | cpe:/o:debian:debian_linux:7.0 |