I haven't seen any response to the following alleged security vulnerability.
I am not qualified to judge the merits of this, but it does seem worrying that (alledgedly) the Python security team hasn't responded for over 12 months. Is anyone able to comment? Thanks, Steve On Mon, Feb 20, 2017 at 09:01:21PM +0000, nos...@curso.re wrote: > Hello, > > I have just noticed that an FTP injection advisory has been made public > on the oss-security list. > > The author says that he an exploit exists but it won't be published > until the code is patched > > You may be already aware, but it would be good to understand what is the > position of the core developers about this. > > The advisory is linked below (with some excerpts in this message): > > http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html > > Protocol injection flaws like this have been an area of research of mine > for the past few couple of years and as it turns out, this FTP protocol > injection allows one to fool a victim's firewall into allowing TCP > connections from the Internet to the vulnerable host's system on any > "high" port (1024-65535). A nearly identical vulnerability exists in > Python's urllib2 and urllib libraries. In the case of Java, this attack > can be carried out against desktop users even if those desktop users do > not have the Java browser plugin enabled. > As of 2017-02-20, the vulnerabilities discussed here have not been patched > by the associated vendors, despite advance warning and ample time to do > so. > [...] > Python's built-in URL fetching library (urllib2 in Python 2 and urllib in > Python 3) is vulnerable to a nearly identical protocol stream injection, > but this injection appears to be limited to attacks via directory names > specified in the URL. > [...] > The Python security team was notified in January 2016. Information > provided included an outline of the possibility of FTP/firewall attacks. > Despite repeated follow-ups, there has been no apparent action on their > part. > > Best regards, > > -- Stefano > > P.S. > I am posting from gmane, I hope that this is OK. > > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > https://mail.python.org/mailman/options/python-dev/steve%40pearwood.info > _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com