Project

General

Profile

Development #33079

traces inutiles fuzzing dans /tracking-code/

Added by Thomas Noël 9 days ago. Updated 9 days ago.

Status:
Nouveau
Priority:
Normal
Assignee:
-
Start date:
14 May 2019
Due date:
% Done:

0%

Patch proposed:
No
Planning:
No

Description

Unsafe redirect to URL with protocol 'file'

Report at /tracking-code/
Unsafe redirect to URL with protocol 'file'

Request Method: POST
Request URL: https://departement06.test.entrouvert.org/tracking-code/
Django Version: 1.11.20
Python Executable: /usr/bin/uwsgi-core
Python Version: 2.7.13
Python Path: ['.', '', '/usr/lib/python2.7', '/usr/lib/python2.7/plat-x86_64-linux-gnu', '/usr/lib/python2.7/lib-tk', '/usr/lib/python2.7/lib-old',
'/usr/lib/python2.7/lib-dynload', '/usr/local/lib/python2.7/dist-packages', '/usr/lib/python2.7/dist-packages']
Server time: mar, 14 Mai 2019 11:13:52 +0200
Installed Applications:
''
Installed Middleware:
''

Request information:
USER: ca829e61a2d94ee89a6c2b19148ccf

GET: No GET data

POST:
url = u'file://path/to/file'
cell = u'44'
code = u'{{8*8}}'

History

#1 Updated by Thomas Noël 9 days ago

  • Subject changed from trace inutile sur tentative d'url fake sur to trace inutile sur tentative d'url fake sur /tracking-code/ (suite à du fuzzing)

#2 Updated by Thomas Noël 9 days ago

  • Subject changed from trace inutile sur tentative d'url fake sur /tracking-code/ (suite à du fuzzing) to traces inutiles fuzzing dans /tracking-code/

Dans la même série, POST sans code :

Internal Server Error: /tracking-code/

MultiValueDictKeyError at /tracking-code/
"'code'" 

Request Method: POST
Request URL: https://departement06.test.entrouvert.org/tracking-code/
Django Version: 1.11.20
Python Executable: /usr/bin/uwsgi-core
Python Version: 2.7.13
Python Path: ['.', '', '/usr/lib/python2.7', '/usr/lib/python2.7/plat-x86_64-linux-gnu', '/usr/lib/python2.7/lib-tk', '/usr/lib/python2.7/lib-old', '/usr/lib/python2.7/lib-dynload', '/usr/local/lib/python2.7/dist-packages', '/usr/lib/python2.7/dist-packages']
Server time: mar, 14 Mai 2019 11:57:15 +0200
Installed Applications:
''
Installed Middleware:
''

Traceback:

File "/usr/lib/python2.7/dist-packages/django/core/handlers/exception.py" in inner
  41.             response = get_response(request)

File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py" in _legacy_get_response
  249.             response = self._get_response(request)

File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py" in _get_response
  187.                 response = self.process_exception_by_middleware(e, request)

File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py" in _get_response
  185.                 response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/usr/lib/python2.7/dist-packages/django/views/generic/base.py" in view
  68.             return self.dispatch(request, *args, **kwargs)

File "/usr/lib/python2.7/dist-packages/django/views/decorators/csrf.py" in wrapped_view
  58.         return view_func(*args, **kwargs)

File "/usr/lib/python2.7/dist-packages/combo/apps/wcs/views.py" in dispatch
  41.         return super(TrackingCodeView, self).dispatch(*args, **kwargs)

File "/usr/lib/python2.7/dist-packages/django/views/generic/base.py" in dispatch
  88.         return handler(request, *args, **kwargs)

File "/usr/lib/python2.7/dist-packages/combo/apps/wcs/views.py" in post
  63.         code = request.POST['code']

File "/usr/lib/python2.7/dist-packages/django/utils/datastructures.py" in __getitem__
  85.             raise MultiValueDictKeyError(repr(key))

Exception Type: MultiValueDictKeyError at /tracking-code/
Exception Value: "'code'" 
Request information:
USER: AnonymousUser

GET: No GET data

POST:
cell = u'44'

FILES: No FILES data

COOKIES: No cookie data

Also available in: Atom PDF