(repost) Advisory: HTTP Header Injection in Python urllib
Steven D'Aprano
steve at pearwood.info
Sat Jun 18 12:02:43 EDT 2016
On Sat, 18 Jun 2016 01:52 pm, Random832 wrote:
> On Fri, Jun 17, 2016, at 21:00, Steven D'Aprano wrote:
>> The author doesn't go into details of what sort of attacks against
>> localhost they're talking about. An unauthenticated service running on
>> localhost implies, to me, a single-user setup, where presumably the
>> single-user has admin access to localhost. So I'm not really sure what
>> "risk" they have
>
> The issue - especially clearly in this context, which demonstrates a
> working exploit for this vulnerability - is cross-site request forgery.
> Which doesn't technically require the victim service to be HTTP (I
> remember a proof of concept a while back which would trick a browser
> into connecting to an IRC server), so long as it can ignore HTTP
> headers.
Er, you may have missed that I'm talking about a single user setup. Are you
suggesting that I can't trust myself not to forge a request that goes to a
hostile site?
It's all well and good to say that the application is vulnerable to X-site
attacks, but how does that relate to a system where I'm the only user?
--
Steven
More information about the Python-list
mailing list