The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com."
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
| Link | Tags |
|---|---|
| http://secunia.com/advisories/61281 | third party advisory |
| http://www.debian.org/security/2014/dsa-2934 | third party advisory vendor advisory |
| http://ubuntu.com/usn/usn-2212-1 | third party advisory vendor advisory |
| http://www.securityfocus.com/bid/67410 | third party advisory vdb entry |
| http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html | third party advisory vendor advisory |
| http://www.openwall.com/lists/oss-security/2014/05/15/3 | third party advisory mailing list |
| https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/ | patch vendor advisory |
| http://www.openwall.com/lists/oss-security/2014/05/14/10 | third party advisory mailing list |