CVE-2011-4138

Name of the Vulnerable Software and Affected Versions Django versions 1.2.0 through 1.2.7 Django versions 1.3.x through 1.3.1

Description The issue concerns the verify exists functionality in the URLField implementation. It originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect. This might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.

Recommendations For Django versions 1.2.0 through 1.2.7, update to version 1.2.7 or later. For Django versions 1.3.x through 1.3.1, update to version 1.3.1 or later. As a temporary workaround, consider disabling the verify exists functionality until a patch is available.