New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! #76266
Comments
Vulnerabilities described below are likely these ones reported in bpo-30500, but it would be nice to double check if *all* reported vulnerabilities have been fixed! -- At July 27, 2017, Orange Tsai (Security Consultant, DEVCORE) reported vulnerabilities in Python, in the code parsing URLs. Conference: https://www.blackhat.com/us-17/briefings/schedule/#a-new-era-of-ssrf---exploiting-url-parser-in-trending-programming-languages-6292 His following blog post only contains the vulnerabilities in Python: Note: His twitter account, https://twitter.com/orange_8361 == Issue 1 ==
http://127.0.0.1:25/%0D%0AHELO orange.tw%0D%0AMAIL FROM
=> "SMTP Hates HTTP Protocol It Seems Unexploitable" "Gopher Is Good What If There Is No Gopher Support?" "HTTPS What Won't Be Encrypted in a SSL Handshake?" == Issue 2 ==
https://127.0.0.1□%0D%0AHELO□orange.tw%0D%0AMAIL□FROM...:25/
== Big Picture == Python vulnerable to:
|
The square □ in the strings represents a space. Issue 1 (CRLF in HTTP request path): it looks like the %0D%0A would have to be decoded by an earlier step in the chain to "http://127.0.0.1:25/\\r\\nHELO . . .". This becomes like the header injection I mentioned in bpo-30458. Issue 2 (CRLF in HTTPS host): it seems this doesn’t work in Python as a side effect of bpo-22928 blocking generation of the Host field. But if you add a space you bypass that: "https://host%0D%0A%20SLAVEOF . . .:6379". |
bpo-32185 proposes to stop sending IP addresses in the TLS SNI protocol. Maybe this will help; it depends if it will catch IP address strings with with whitespace or if there are other ways to inject invalid hostnames. |
Since bpo-32185 has been patched, should this one be revisited to see if that solution helped fixed this one? |
No activity for 3 years, I close the issue. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: