Django Message Files Remote Arbitrary Command Execution Vulnerability

Bugtraq ID:	22134
Class:	Input Validation Error
CVE:	CVE-2007-0404
Remote:	Yes
Local:	No
Published:	Jan 19 2007 12:00AM
Updated:	May 12 2015 07:35PM
Credit:	The vendor disclosed this issue.
Vulnerable:	Djangoproject Django 0.95
Not Vulnerable:

Django Message Files Remote Arbitrary Command Execution Vulnerability

Django is prone to a vulnerability that may permit the execution of remote arbitrary shell commands because the application fails to properly sanitize user-supplied input before using it in a Python 'os.system()' function call.

Exploiting this issue allows attackers to execute remote arbitrary shell commands with the privileges of users executing a vulnerable version of the application.

This issue affects version 0.95; other versions may also be affected.

Django Message Files Remote Arbitrary Command Execution Vulnerability

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Django Message Files Remote Arbitrary Command Execution Vulnerability

Solution:
The vendor has addressed this issue in the latest SVN release. Please see the references for more information.


Django Django 0.95

• Django Django-0.95.tar.gz
  http://www.djangoproject.com/download/0.95/tarball/Django-0.95.tar.gz

Django Message Files Remote Arbitrary Command Execution Vulnerability

References:

• Changeset 3592 -Fixed small security hole in bin/compile-messages.py (Django)
  
• Django Homepage (Django)
  
• Ticket #2702 (closed: fixed) (Django)
  
• Debian Bug report logs - #407519 Security fix for Django i18n system (Django)