New submission from STINNER Victor <victor.stin...@gmail.com>: Vulnerabilities described below are likely these ones reported in bpo-30500, but it would be nice to double check if *all* reported vulnerabilities have been fixed! http://python-security.readthedocs.io/vuln/bpo-30500_urllib_connects_to_a_wrong_host.html
-- At July 27, 2017, Orange Tsai (Security Consultant, DEVCORE) reported vulnerabilities in Python, in the code parsing URLs. Conference: https://www.blackhat.com/us-17/briefings/schedule/#a-new-era-of-ssrf---exploiting-url-parser-in-trending-programming-languages-6292 Slides: https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf His following blog post only contains the vulnerabilities in Python: http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html Note: His twitter account, https://twitter.com/orange_8361 == Issue 1 == * CR-LF Injection on HTTP protocol * Smuggling SMTP protocol over HTTP protocol http://127.0.0.1:25/%0D%0AHELO orange.tw%0D%0AMAIL FROM >> GET / << 421 4.7.0 ubuntu Rejecting open proxy localhost [127.0.0.1] >> HELO orange.tw Connection closed => "SMTP Hates HTTP Protocol It Seems Unexploitable" "Gopher Is Good What If There Is No Gopher Support?" "HTTPS What Won't Be Encrypted in a SSL Handshake?" == Issue 2 == * HTTPS: What Won't Be Encrypted in a SSL Handshake? * Exploit the Unexploitable - Smuggling SMTP over TLS SNI https://127.0.0.1□%0D%0AHELO□orange.tw%0D%0AMAIL□FROM...:25/ (...) >< HELO orange.tw << 250 ubuntu Hello localhost [127.0.0.1], please meet you >> MAIL FROM: <ad...@orange.tw> << 250 2.1.0 <ad...@orange.tw>... Sender ok == Big Picture == Python vulnerable to: * Python httplib: * CR-LF Injection: Path, Host and SNI * Python urllib: * CR-LF Injection: Host and SNI * Host Injection * Python urllib2 * CR-LF Injection: Host and SNI ---------- messages: 306543 nosy: vstinner priority: normal severity: normal status: open title: [Security] A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! type: security _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32085> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com