Full Disclosure mailing list archives

Blindspot Advisory: HTTP Header Injection in Python urllib

From: "Timothy D. Morgan" <tim-security () sentinelchicken org>
Date: Wed, 15 Jun 2016 10:24:46 -0700


Python's built-in URL library ("urllib2" in 2.x and "urllib" in 3.x)
is vulnerable to protocol stream injection attacks (a.k.a. "smuggling"
attacks) via the http scheme. If an attacker could convince a Python
application using this library to fetch an arbitrary URL, or fetch a
resource from a malicious web server, then these injections could
allow for a great deal of access to certain internal services.

URLs of the following form allow injection into the HTTP stream:

  http://127.0.0.1%0d%0aX-injected:%20header%0d%0ax-leftover:%20:12345/foo
  http://localhost%00%0d%0ax-bar:%20:12345/foo

More details here:
  http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html

Thank you,
tim

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Blindspot Advisory: HTTP Header Injection in Python urllib Timothy D. Morgan (Jun 16)