Coordinated Disclosure Timeline
- 2021-05-13: Report sent to maintainers
- 2021-05-13: Report is acknowledged
- 2021-05-17: A patch for the issue is proposed
- 2021-06-02: Vulnerability was made public
Summary
A Path Injection issue was found in django
that allows a malicious admin user to disclose the presence of files on the file-system if the module django.contrib.admindocs
is enabled.
Product
django
Tested Version
3.2.2
Details
There is an unsafe Path
join operation in views.py that allows an attacker to supply paths that are outside the templates directory (1).
class TemplateDetailView(BaseAdminDocsView):
template_name = 'admin_doc/template_detail.html'
def get_context_data(self, **kwargs):
template = self.kwargs['template']
templates = []
try:
default_engine = Engine.get_default()
except ImproperlyConfigured:
# Non-trivial TEMPLATES settings aren't supported (#24125).
pass
else:
# This doesn't account for template loaders (#24128).
for index, directory in enumerate(default_engine.dirs):
# NOTE(1): `template` is controled by an attacker.
template_file = Path(directory) / template
if template_file.exists():
# NOTE(2)
template_contents = template_file.read_text()
else:
template_contents = ''
templates.append({
'file': template_file,
'exists': template_file.exists(),
'contents': template_contents,
'order': index,
})
return super().get_context_data(**{
**kwargs,
'name': template,
'templates': templates,
})
By logging in as an admin and requesting the following page, an attacker can detect the presence of arbitrary files in the filesystem, in this case the presence of /etc/passwd
:
http://localhost:8000/admin/doc/templates//etc/passwd/
In (2) we see that the file is read and its contents are passed to the rendering method. We could not find a way to display the results but a more in depth look into this seems advisable.
Impact
An authenticated malicious admin can disclose the presence of arbitrary files.
Resources
- https://github.com/django/django/blob/e1e81aa1c4427411e3c68facdd761229ffea6f6f/django/contrib/admindocs/views.py#L336
- https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
CVE
- CVE-2021-33203
Credit
This issue was discovered by Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from the CodeQL Python team.
Contact
You can contact the GHSL team at securitylab@github.com
, please include GHSL-2021-075
in any communication regarding this issue.