Django 1.2.2 released to close XSS enabling hole - Update
The Django Project developers have released Django 1.2.2 to close a vulnerability in the Python based web framework which allowed attackers to launch cross-site scripting (XSS) attacks. The exploit is, ironically, in the Cross Site Request Forgery (CSRF) protection code which was added in version 1.2.
This protection generated a random token that was inserted into hidden fields on forms and, at the same time, set in a cookie; when forms were submitted, the hidden field value and the cookie are compared to check for tampering. It was discovered that the template used to insert this token into forms implicitly trusted the cookie value and inserted it, unescaped, into the outgoing HTML. An attacker could potentially tamper with the cookie and use it to inject code that could carry out a XSS attack.
The CSRF protection in Django 1.2 is a new implementation of what was, in previous versions, a different and optionally-enabled subsystem; this means that versions prior to 1.2 are unaffected by the issue. The developers say Django 1.2 users are "urged to upgrade immediately" to 1.2.2 and note that they have not given their normal advance notification to Django distributors because of the "time sensitive nature of this issue".
Update 13-09-2010: The Django team has released version 1.2.3 of Django to address several issues found in the 1.2.2 package. The developers say that the update corrects problems with non-ASCII responses using CSRF tokens and various issues with administration forms and includes a corrected packaging manifest.