Python django postgresql Vulnerability

in #django5 years ago (edited)

An new vulnerability has been found in django’s postgresql module

Summary
A new vulnerability has been found in the popular python web framework
django. Due to in proper validation of the sql data in the database
module for postgresql.
An attacker could send malicious sql commands and cause an sql injection.

Django
Django is getting more and more popular
on stackshare.io we can see that it’s being used by over 1900
companies that has published their tech stack.

stackshare django
CVE
The vulnerability has been given the CVE of CVE-2020-7471.

The vulnerability
The author of this CVE and the founder of the security vulnerability
Simon Charette quickly reported and the vulnerability

This is a reminder that is it always important to escape user input.
A simple search on github displays over a million pieces of code that
is using django’s postgresql module.
So if you are running django with its built in postgresql module
in production. Its time to update your django library and verify that your escaping
the users input.

Git commit:
Old vulnerable code:

class StringAgg(OrderableAggMixin, Aggregate):
function = 'STRING_AGG'
template = "%(function)s(%(distinct)s%(expressions)s, '%(delimiter)s'%(ordering)s)"
allow_distinct = True

New updated code:

class StringAgg(OrderableAggMixin, Aggregate):
function = 'STRING_AGG'
template = '%(function)s(%(distinct)s%(expressions)s %(ordering)s)'
allow_distinct = True

So basically just removing the delimiter

Link:
https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136

The vulnerability has even made it to github’s own security advisory:
https://github.com/advisories/GHSA-hmr4-m2h5-33qx

Escaping sql
The majority of attacks against sql databases such as sql injection is
building on making the system perform malicious sql queries.
A popular prevention for this is escaping the users input in the
hope of removing the bad parts of it.
Mariadb has a built in feature for this called “mysql_real_escape_string”.
Since we are assuming you are using python their is a great way to do it with
the python mariadb/mysql library pymysql and use the built in function “escape_string”.
The majority of sql client libraries has some kind of escape_string function
built in to them.

External links:
CVE-2020-7471
SQL injection
Django Security Release
Stackoverflow escape characters in mysql
Original post:
https://blog.firosolutions.com/exploits/python-django-vulnerability-2020/

Sort:  

If you work with PostgreSQL, you can try ODBC for PostgreSQL for a better connection.

Coin Marketplace

STEEM 0.15
TRX 0.17
JST 0.028
BTC 69075.42
ETH 2475.71
USDT 1.00
SBD 2.35