New submission from Max <[email protected]>:
I recently came across a bug during a pentest that's allowed me to perform some
really interesting attacks on a target. While originally discovered in
requests, I had been forwarded to one of the urllib3 developers after agreeing
that fixing it at it's lowest level would be preferable. I was informed that
the vulnerability is also present in http.client and that I should report it
here as well.
The 'method' parameter is not filtered to prevent the injection from altering
the entire request.
For example:
>>> conn = http.client.HTTPConnection("localhost", 80)
>>> conn.request(method="GET / HTTP/1.1\r\nHost: abc\r\nRemainder:",
>>> url="/index.html")
This will result in the following request being generated:
GET / HTTP/1.1
Host: abc
Remainder: /index.html HTTP/1.1
Host: localhost
Accept-Encoding: identity
This was originally found in an HTTP proxy that was utilising Requests. It
allowed me to manipulate the original path to access different files from an
internal server since the developers had assumed that the method would filter
out non-standard HTTP methods.
The recommended solution is to only allow the standard HTTP methods of GET,
HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, and PATCH.
An alternate solution that would allow programmers to use non-standard methods
would be to only support characters [a-z] and stop reading at any special
characters (especially newlines and spaces).
----------
components: Library (Lib)
messages: 361710
nosy: maxpl0it
priority: normal
severity: normal
status: open
title: Injection in http.client
type: security
versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 3.9
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue39603>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
