In this post, we will discuss an exploit discovered in Django (CVE-2023-31047) that allows for bypassing validation when using one form field to upload multiple files. This vulnerability affects Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1. It's important to note that forms.FileField and forms.ImageField were never explicitly designed for multiple file uploads and previously. Before the fix was implemented, only the last file uploaded was validated. Still, Django's documentation erroneously suggested that it supported multiple file uploads.

Code Snippet

Here's a vulnerable Django form which allows multiple file uploads using a single FileField:

from django import forms

class UploadMultipleFilesForm(forms.Form):
    files = forms.FileField(widget=forms.ClearableFileInput(attrs={'multiple': True}))

Exploit Details

An attacker could exploit this vulnerability by submitting multiple files with the same field name in a single HTTP POST request. The validation mechanism in Django's forms would only validate the last file uploaded even if any of the other uploaded files violated some validation rules.

For instance, an attacker could upload a text file containing a malicious script along with a legitimate image file, and the validation mechanism would only check the image while the text file would bypass security checks and get uploaded onto the server.

In the worst-case scenario, this vulnerability could lead to unauthorized file uploads and potentially Remote Code Execution (RCE) on the server-side if an attacker can exploit the uploaded files.

1. Django Security Advisory
2. Django CVE-2023-31047 Detailed Information
3. Official GitHub Commit to Fix the Vulnerability

Developers using vulnerable versions of Django should upgrade to the latest non-vulnerable versions as specified below:

Django 4.2 should be upgraded to 4.2.1 or later

Additionally, it's advised to ensure that the form fields in your web application are used correctly, considering how Django natively supports single file uploads rather than multiple file uploads using forms.FileField or forms.ImageField. Using Django's ClearableFileInput widget should also be avoided in cases where multiple file uploads are not required.

By taking these steps, developers can help reduce the risk of attackers exploiting CVE-2023-31047 in their Django applications.

In conclusion, while the Django documentation suggested multiple file uploads were supported, the developers never intended forms.FileField and forms.ImageField to be used this way till the fix was included in later versions of Django. Upgrading to non-vulnerable versions is the best course of action, along with ensuring correct usage of form fields in your Django project.

Timeline

Published on: 05/07/2023 02:15:00 UTC
Last modified on: 05/16/2023 03:15:00 UTC