[issue43223] [security] http.server: Open Redirection if the URL path starts with //
Hamza AVvan
report at bugs.python.org
Fri Feb 19 00:59:56 EST 2021
Hamza AVvan <hamzaavvaan at gmail.com> added the comment:
As for the directory issue, not only .ssh but an attacker can use any directory to make the open redirection exploitable.
And as for the HTTP Header Location, the server does not remove extra trailing slash from the PAYLOAD uri, which seems to be the cause of vulnerability getting exploited.
http://127.0.0.1:8000//attacker.com/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../.ssh
So I believe the server should check for multiple slashes and remove them from the path.
Additionally, as you've mentioned it should also prepend the host:port/ to the new_url variable before writing the HTTP Header Location because if an attacker bypasses the protection and add an extra slash the server will still redirect to the host which is getting inserted into the Location header. But honestly I need your opinion as concatenating host to the url may lead to Host Header Injection but it'll then require a different context.
Please watch the POC video.
POC Video: https://youtu.be/rLfOoEu1XXg
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue43223>
_______________________________________
More information about the Python-bugs-list
mailing list