Huh, that's quite an interesting hack, isn't it?
As for whether web.py's vulnerable or not: yes and no.
web.py is not vulnerable per se, but neither does it go out of its way to
protect you from it (true web.py style :-). Because web.py sets ctx.host
directly from HTTP_HOST or the Host header (this is as documented in
ctx.__doc__), whether it's vulnerable depends on:
1) Whether your web server does any filtering based on the Host header. In
other words, be careful how you've set up your server's named-based virtual
hosting. In Apache, for instance, you can use the ServerName/ServerAlias
directives to filter on certain values of the Host header, which means
you're not vulnerable.
Well, not unless you have a default host name handler of * (all other Host
header values). Which I'm guessing is quite common, so take care.
2) Whether you actually use ctx.host like HTTP_HOST as this article
describes. So if you had something like this in a template, you'd be
vulnerable:
<a href="http://$(web.ctx.host)/login">Login</a>
3) I also noticed that web.py's new subdomain_application "delegator" uses
ctx.host directly (from the user's Host header). So whether you're
vulnerable depends on how you set up the "mapping" regexs that you give. If
your regexs are nice and tight, you should be fine.
All of which to say, check your web server setup, and be careful how you use
ctx.host as it comes straight from the user.
Cheers,
Ben.
On Wed, Jun 11, 2008 at 6:24 PM, scamajama <[EMAIL PROTECTED]>
wrote:
>
> Is webpy vulnerable to http cache poisoning: <http://carlos.bueno.org/
> 2008/06/host-header-injection.html<http://carlos.bueno.org/2008/06/host-header-injection.html>
> >?
>
> --sj
> >
>
--
Ben Hoyt, http://benhoyt.com/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web.py" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/webpy?hl=en
-~----------~----~----~----~------~----~------~--~---
