Miggo Logo

CVE-2012-4520: Django Allows Arbitrary URL Generation

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.88547%
Published
5/17/2022
Updated
9/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
djangopip>= 1.3, < 1.3.41.3.4
djangopip>= 1.4, < 1.4.21.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points:

  1. The original get_host() function lacked validation for dangerous characters (e.g., '@') in the Host header, allowing URL manipulation (CWE-20). The commit adds a check for these characters.
  2. The admin password reset view (when is_admin_site=True) used the raw HTTP_HOST value from request.META, bypassing get_host()'s validation entirely in vulnerable versions. The patch replaced this with request.get_host(), which (after being fixed) enforced proper validation. The combination of these two factors allowed attackers to control the domain in generated URLs via malicious Host headers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `*j*n*o.*ttp.*ttpR*qu*st.**t_*ost` *un*tion in *j*n*o *.*.x ***or* *.*.* *n* *.*.x ***or* *.*.* *llows r*mot* *tt**k*rs to **n*r*t* *n* *ispl*y *r*itr*ry URLs vi* *r**t** us*rn*m* *n* p*sswor* *ost *****r v*lu*s.

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *. T** ori*in*l **t_*ost() *un*tion l**k** v*li**tion *or **n**rous ***r**t*rs (*.*., '@') in t** *ost *****r, *llowin* URL m*nipul*tion (*W*-**). T** *ommit ***s * ****k *or t**s* ***r**t*rs. *. T** **min