[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Blindspot Advisory: HTTP Header Injection in Python urllib

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Blindspot Advisory: HTTP Header Injection in Python urllib
From: "Timothy D. Morgan" <tim-security@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 15 Jun 2016 10:24:46 -0700

Python's built-in URL library ("urllib2" in 2.x and "urllib" in 3.x)
is vulnerable to protocol stream injection attacks (a.k.a. "smuggling"
attacks) via the http scheme. If an attacker could convince a Python
application using this library to fetch an arbitrary URL, or fetch a
resource from a malicious web server, then these injections could
allow for a great deal of access to certain internal services.

URLs of the following form allow injection into the HTTP stream:

  http://127.0.0.1%0d%0aX-injected:%20header%0d%0ax-leftover:%20:12345/foo
  http://localhost%00%0d%0ax-bar:%20:12345/foo

More details here:
  
http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html

Thank you,
tim

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Microsoft Visio multiple DLL side loading vulnerabilities
Next by Date: [FD] Authentication bypass in Ceragon FibeAir IP-10 web interface (<7.2.0)
Previous by thread: [FD] Microsoft Visio multiple DLL side loading vulnerabilities
Next by thread: [FD] Authentication bypass in Ceragon FibeAir IP-10 web interface (<7.2.0)
Index(es):
- Date
- Thread