| msg313212 - (view) |
Author: yao zhihua (yao zhihua) |
Date: 2018-03-04 13:05 |
| Due to the incomplete fix for CVE-2011-1521, urllib and urllib2 exist for this vulnerability and I tested on the version of Python 3.4.8 (default, Mar 4 2018, 20:37:04).I am sorry that I do not know how to fix it. |
|
|
| msg313217 - (view) |
Author: Senthil Kumaran (orsenthil) *  |
Date: 2018-03-04 19:10 |
| @Yao, sorry, I don't understand it. What is POC trying to demonstrate? How is it related to https://bugs.python.org/issue30657 And CVE is this: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521 |
|
|
| msg313232 - (view) |
Author: yao zhihua (yao zhihua) |
Date: 2018-03-05 00:50 |
| Okay my falut.I made the wrong issue.The issue is .Urlopen function can use the file protocol, when an attacker input file:///etc/passwd, it can leak the contents of the passwd file. |
|
|
| msg313235 - (view) |
Author: yao zhihua (yao zhihua) |
Date: 2018-03-05 05:26 |
| I also found a function without filtering file protocol. poc: import webbrowser webbrowser.open('file:///etc/passwd') |
|
|
| msg313237 - (view) |
Author: yao zhihua (yao zhihua) |
Date: 2018-03-05 06:09 |
| I tried again, webbrowser module can only open file:///etc/passwd. |
|
|
| msg313493 - (view) |
Author: Ned Deily (ned.deily) * |
Date: 2018-03-09 19:31 |
| This is now marked as a security issue but I do not understand what the problem is. urllib / urllib2 are supposed to be able to open file:// style URLs, that was not the point of Issue11662. https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener And webbrowser also supports file: URLs if the underlying browser does; again, that's a standard feature. So what's the problem here? |
|
|
| msg313528 - (view) |
Author: yao zhihua (yao zhihua) |
Date: 2018-03-10 14:10 |
| Borrow what others have said from Issue11662. -------------------- The Python urllib and urllib2 modules are typically used to fetch web pages but by default also contains handlers for ftp:// and file:// URL schemes. Now unfortunately it appears that it is possible for a web server to redirect (HTTP 302) a urllib request to any of the supported schemes. Examples on how this could turn bad: 1) File disclosure: A web application, that normally fetches and displays a web page, is redirected to file:///etc/passwd and discloses it. 2) Denial of Service: An application is redirected to a system device (e.g. file:///dev/zero) which will result in excessive CPU/memory/disk usage. |
|
|
| msg313529 - (view) |
Author: yao zhihua (yao zhihua) |
Date: 2018-03-10 14:20 |
| Here about webbrowser vulnerability. https://bugs.python.org/issue32367 You could execute command with file protocols in python 2.7.10. poc : import webbrowser, os filename = "/bin/ls" webbrowser.open(os.path.realpath(filename)) If python has fixed this vulnerability,why can I access file:///etc/passwd? But I can't access /etc/shadow.Is this it fixed incomplete? |
|
|
| msg313628 - (view) |
Author: Martin Panter (martin.panter) * |
Date: 2018-03-12 00:35 |
| Hi Yao, I tend to agree with Ned. The support for “file:” URLs is by design. I don’t see any security problems. I suggest to close this. In Issue 11662, it was decided that a web server redirecting to a “file:” URL was a security problem. This is because the mechanism that follows the redirect is automatic, and the target of the redirect is under the control of the remote server, not the local user or program. But other parts of the Python library still support “file:” URLs without causing any problems. Those URLs are under control of the caller, like in your “poc.py” file. The /etc/passwd file may be readable by ordinary users. But /etc/shadow may require special permission to read, because it holds password hashes. Or it may not exist under that name, depending on the OS. If a web application calls “urllib.request.urlopen”, I think it is up to the application to validate the URL it passes. It may want to deny or limit access to specific directories, URL schemes, host names, etc. It is not up to Python to make those decisions. When I tried your “webbrowser.open” demonstration, it made Firefox offer to “download” (i.e. copy) the “ls” executable file. I think this is normal behaviour, and does not indicate a security problem. A plausible use-case would be opening a local README.html file distributed with a program in a web browser. |
|
|