Python, standard library HTTP clients MITM

2014.12.11

Credit: Alex

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

I'm request a CVE for CPython (sometimes Python), for failure to validate
certificates in the HTTP client with TLS.

Title: Python standard HTTP libraries fail to validate TLS certificates for
HTTPS Products: CPython, all 2.x versions prior to 2.7.9, 3.x versions prior to 3.4.3


Description:

When Python's standard library HTTP clients (httplib, urllib, urllib2,
xmlrpclib) are used to access resources with HTTPS, by default the
certificate is not checked against any trust store, nor is the hostname in the
certificate checked against the requested host. It was possible to configure a trust
root to be checked against, however there were no faculties for hostname
checking.

This made MITM attacks against the HTTP clients trivial, and violated RFC 2818
(http://tools.ietf.org/html/rfc2818#section-3).

Python 2.7.9 has been issued to resolve this issue. It is also resolved in
3.4.3, which has not yet been released.

Thanks,
Alex

References:

http://tools.ietf.org/html/rfc2818#section-3

http://seclists.org/oss-sec/2014/q4/1022

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Python, standard library HTTP clients MITM

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.