Message387284
As for the directory issue, not only .ssh but an attacker can use any directory to make the open redirection exploitable.
And as for the HTTP Header Location, the server does not remove extra trailing slash from the PAYLOAD uri, which seems to be the cause of vulnerability getting exploited.
http://127.0.0.1:8000//attacker.com/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../.ssh
So I believe the server should check for multiple slashes and remove them from the path.
Additionally, as you've mentioned it should also prepend the host:port/ to the new_url variable before writing the HTTP Header Location because if an attacker bypasses the protection and add an extra slash the server will still redirect to the host which is getting inserted into the Location header. But honestly I need your opinion as concatenating host to the url may lead to Host Header Injection but it'll then require a different context.
Please watch the POC video.
POC Video: https://youtu.be/rLfOoEu1XXg |
|
Date |
User |
Action |
Args |
2021-02-19 05:59:56 | hamzaavvan | set | recipients:
+ hamzaavvan, paul.moore, vstinner, tim.golden, zach.ware, steve.dower |
2021-02-19 05:59:56 | hamzaavvan | set | messageid: <1613714396.09.0.53261998931.issue43223@roundup.psfhosted.org> |
2021-02-19 05:59:56 | hamzaavvan | link | issue43223 messages |
2021-02-19 05:59:55 | hamzaavvan | create | |
|