(repost) Advisory: HTTP Header Injection in Python urllib

[Steven D'Aprano]

On Sat, 18 Jun 2016 04:49 am, Paul Rubin wrote:

> The blog post below is from a couple days ago:
> 
>
http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html

> The blog post criticizes Redis and Memcached for not using any
> authentication (since "safe" internal networks are often not safe) and
> makes the interesting claim that even services on localhost should use
> authentication these days.


That's not quite what they say. They say that the problem is that "trusted
internal networks" are often no safer than the Internet and shouldn't be
trusted. It does also say:

"Even an unauthenticated service listening on localhost is risky these
days."

but fall short of *explicitly* recommending that they should be
authenticated. Although they do *implicitly* do so, by saying that "it
wouldn't be hard" for such services to include a password.

The author doesn't go into details of what sort of attacks against localhost
they're talking about. An unauthenticated service running on localhost
implies, to me, a single-user setup, where presumably the single-user has
admin access to localhost. So I'm not really sure what "risk" they have --
e.g. I'm sure that I could do all sorts of bad things to localhost by
exploiting http services. Or I could just go "sudo rm -rf /" [don't do this
at home]. Or whatever evil thing I had in mind.

But perhaps they mean a scenario where I'm running a service on localhost
and offering it to other users on a local network. In which case it makes
sense: trusted internal networks perhaps shouldn't be trusted.


-- 
Steven