[issue32993] issue30657 Incomplete fix
New submission from yao zhihua : Due to the incomplete fix for CVE-2011-1521, urllib and urllib2 exist for this vulnerability and I tested on the version of Python 3.4.8 (default, Mar 4 2018, 20:37:04).I am sorry that I do not know how to fix it. -- components: Library (Lib) files: poc.py messages: 313212 nosy: yao zhihua priority: normal severity: normal status: open title: issue30657 Incomplete fix type: security versions: Python 3.4 Added file: https://bugs.python.org/file47469/poc.py ___ Python tracker <https://bugs.python.org/issue32993> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32993] issue30657 Incomplete fix
yao zhihua added the comment: Okay my falut.I made the wrong issue.The issue is issue11662.Urlopen function can use the file protocol, when an attacker input file:///etc/passwd, it can leak the contents of the passwd file. -- ___ Python tracker <https://bugs.python.org/issue32993> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32993] issue11662 Incomplete fix
Change by yao zhihua : -- title: issue30657 Incomplete fix -> issue11662 Incomplete fix ___ Python tracker <https://bugs.python.org/issue32993> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32993] issue11662 Incomplete fix
yao zhihua added the comment:
I also found a function without filtering file protocol.
poc:
import webbrowser
webbrowser.open('file:///etc/passwd')
--
___
Python tracker
<https://bugs.python.org/issue32993>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32993] issue11662 Incomplete fix
yao zhihua added the comment: I tried again, webbrowser module can only open file:///etc/passwd. -- ___ Python tracker <https://bugs.python.org/issue32993> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32993] urllib and webbrowser.open() can open w/ file: protocol
yao zhihua added the comment: Borrow what others have said from Issue11662. The Python urllib and urllib2 modules are typically used to fetch web pages but by default also contains handlers for ftp:// and file:// URL schemes. Now unfortunately it appears that it is possible for a web server to redirect (HTTP 302) a urllib request to any of the supported schemes. Examples on how this could turn bad: 1) File disclosure: A web application, that normally fetches and displays a web page, is redirected to file:///etc/passwd and discloses it. 2) Denial of Service: An application is redirected to a system device (e.g. file:///dev/zero) which will result in excessive CPU/memory/disk usage. -- ___ Python tracker <https://bugs.python.org/issue32993> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue32993] urllib and webbrowser.open() can open w/ file: protocol
yao zhihua added the comment: Here about webbrowser vulnerability. https://bugs.python.org/issue32367 You could execute command with file protocols in python 2.7.10. poc : import webbrowser, os filename = "/bin/ls" webbrowser.open(os.path.realpath(filename)) If python has fixed this vulnerability,why can I access file:///etc/passwd? But I can't access /etc/shadow.Is this it fixed incomplete? -- ___ Python tracker <https://bugs.python.org/issue32993> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
