#18529: Can get system access through injection in /media
---------------------------------+----------------------
Reporter: dmitry.nosov@… | Owner: nobody
Type: Bug | Status: new
Component: Core (URLs) | Version: 1.4
Severity: Release blocker | Keywords: security
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+----------------------
Hi,
My guess is that media is served by django.views.static.serve and its
pattern is (r'^media\/(?P<path>.*)$' in Django 1.4, the following
injection is possible:
wget http://reviews.reviewboard.org/admin/media/"`ls -l`"
you can use any command instead of ls -l
--
Ticket URL: <https://code.djangoproject.com/ticket/18529>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
