IPy Blacklist Bypass

2014.10.17

Credit: Nicolas

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

IPy is a Python "class and tools for handling of IPv4 and IPv6 addresses
and networks" (https://github.com/haypo/python-ipy). This library is
sometimes used to implement blacklists forbidding internal, private or
loopback addresses.
Using octal encoding (supported by urllib2), it is possible to bypass
checks based on the result of the iptype() function. For example, IP
address '0177.0000.0000.0001' is considered as 'PUBLIC' but resolves to
'127.0.0.1' when accessed via urllib2.
Developers were informed, no news since then... More details on my blog:
http://www.agarri.fr/kom/archives/2014/10/15/bypassing_blacklists_based_on_ipy/index.html
Cheers,
Nicolas Grgoire

References:

http://www.agarri.fr/kom/archives/2014/10/15/bypassing_blacklists_based_on_ipy/index.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

IPy Blacklist Bypass

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.