django: file request forgery
| Package(s): | django |
CVE #(s): | |
| Created: | August 4, 2009 |
Updated: | August 5, 2009 |
| Description: |
From the Django
security advisory: Django includes a lightweight, WSGI-based web server
for use in learning Django and in testing new applications during early
stages of development. For sake of convenience, this web server
automatically maps certain URLs corresponding to the static media files
used by the Django administrative application. The handler which maps
these URLs did not properly check the requested URL to verify that it
corresponds to a static media file used by Django. As such, a
carefully-crafted URL can cause the development server to serve any file to
which it has read access. |
| Alerts: |
|
