Python urllib HTTP Header Injection

2016.06.17

Credit: tim

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Python's built-in URL library ("urllib2" in 2.x and "urllib" in 3.x)
is vulnerable to protocol stream injection attacks (a.k.a. "smuggling"
attacks) via the http scheme. If an attacker could convince a Python
application using this library to fetch an arbitrary URL, or fetch a
resource from a malicious web server, then these injections could
allow for a great deal of access to certain internal services.

URLs of the following form allow injection into the HTTP stream:

  http://127.0.0.1%0d%0aX-injected:%20header%0d%0ax-leftover:%20:12345/foo
  http://localhost%00%0d%0ax-bar:%20:12345/foo

More details here:
  http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html

Thank you,
tim

References:

http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Python urllib HTTP Header Injection

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.