[issue43223] [security] http.server: Open Redirection if the URL path starts with //
Hamza Avvan added the comment: Requested review for the unit test few days ago. Please check. https://github.com/python/cpython/pull/24848 -- ___ Python tracker <https://bugs.python.org/issue43223> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue43223] [security] http.server: Open Redirection if the URL path starts with //
Change by Hamza Avvan : -- hgrepos: +404 ___ Python tracker <https://bugs.python.org/issue43223> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue43223] [security] http.server: Open Redirection if the URL path starts with //
Change by Hamza Avvan : -- keywords: +patch pull_requests: +23609 stage: -> patch review pull_request: https://github.com/python/cpython/pull/24848 ___ Python tracker <https://bugs.python.org/issue43223> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue43223] [security] http.server: Open Redirection if the URL path starts with //
Hamza AVvan added the comment: As for the directory issue, not only .ssh but an attacker can use any directory to make the open redirection exploitable. And as for the HTTP Header Location, the server does not remove extra trailing slash from the PAYLOAD uri, which seems to be the cause of vulnerability getting exploited. http://127.0.0.1:8000//attacker.com/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../.ssh So I believe the server should check for multiple slashes and remove them from the path. Additionally, as you've mentioned it should also prepend the host:port/ to the new_url variable before writing the HTTP Header Location because if an attacker bypasses the protection and add an extra slash the server will still redirect to the host which is getting inserted into the Location header. But honestly I need your opinion as concatenating host to the url may lead to Host Header Injection but it'll then require a different context. Please watch the POC video. POC Video: https://youtu.be/rLfOoEu1XXg -- ___ Python tracker <https://bugs.python.org/issue43223> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue43223] [SECURITY] Open Redirection In Python 3.7 & 3.8
Change by Hamza AVvan : -- title: Open Redirection In Python 3.7 & 3.8 -> [SECURITY] Open Redirection In Python 3.7 & 3.8 ___ Python tracker <https://bugs.python.org/issue43223> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue43223] Open Redirection In Python 3.7 & 3.8
New submission from Hamza AVvan : The provided version of python distros 3.8.7 and 3.7.4 are vulnerable to open redirection while traversing to an existing directory. # PAYLOAD http://127.0.0.1:8000//attacker.com/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../.ssh In this case, the actual path of .ssh was: http://127.0.0.1:8000/.ssh Upon visiting the payload URI the python server will respond back with a Location header instead of serving the directory contents directly which triggers the redirection to attacker.com Server: SimpleHTTP/0.6 Python/3.8.7 -- components: Windows files: Capture.PNG messages: 386945 nosy: hamzaavvan, paul.moore, steve.dower, tim.golden, zach.ware priority: normal severity: normal status: open title: Open Redirection In Python 3.7 & 3.8 type: security versions: Python 3.7, Python 3.8 Added file: https://bugs.python.org/file49808/Capture.PNG ___ Python tracker <https://bugs.python.org/issue43223> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com