Message125378
Per the first line of my previous comment, please ignore HTTP_REMOTE_USER.
The risk is that if the proxy does not place the user-supplied 'remote-user=VALUE1' before the proxy-supplied 'REMOTE_USER=VALUE2', wsgiref will overload REMOTE_USER with the value of REMOTE-USER.
1) Client supplies 'REMOTE-USER=admin'
2) Proxy adds 'REMOTE_USER=normal_user' and appends 'REMOTE-USER=admin'
3) Server using wsgiref processes header key/value 'REMOTE_USER=normal_user' and performs lowercase/replace, resulting in 'remote_user=normal_user'
4) Server using wsgiref continues to process the header, performs lowercase/replace on 'REMOTE-USER=admin', resulting in 'remote_user=admin', which overloads the proxy-supplied value for 'remote_user' and allows for arbitrary privilege escalation. |
|
Date |
User |
Action |
Args |
2011-01-04 22:40:34 | Alex.Raitz | set | recipients:
+ Alex.Raitz, pje |
2011-01-04 22:40:34 | Alex.Raitz | set | messageid: <1294180834.68.0.172225901177.issue10751@psf.upfronthosting.co.za> |
2011-01-04 22:40:29 | Alex.Raitz | link | issue10751 messages |
2011-01-04 22:40:29 | Alex.Raitz | create | |
|