urllib parse_qsl(): Web cache poisoning (original) (raw)

urllib parse_qsl(): Web cache poisoning - semicolon as a query args separator¶

The urlparse module treats semicolon as a separator, whereas most proxies today only take ampersands as separators.

When the attacker can separate query parameters using a semicolon ;, they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter - such asutm_* parameters, which are usually unkeyed.

The fix is to only use ampersands & as separators, and add a_separator_ parameter to chose the separator characters.

Dates:

• Disclosure date: 2021-01-19 (Python issue bpo-42967 reported)
• Reported at: 2020-10-19 (email sent to the PSRT list)
• Reported by: Adam Goldschmidt (Snyk)

Fixed In¶

• Python 3.6.13 (2021-02-16) fixed by commit 5c17dfc (branch 3.6) (2021-02-15)
• Python 3.7.10 (2021-02-16) fixed by commit d0d4d30 (branch 3.7) (2021-02-15)
• Python 3.8.8 (2021-02-19) fixed by commit e3110c3 (branch 3.8) (2021-02-15)
• Python 3.9.2 (2021-02-19) fixed by commit c9f0781 (branch 3.9) (2021-02-15)
• Python 3.10.0 (2021-10-04) fixed by commit fcbe0cb (branch 3.10) (2021-02-14)

Python issue¶

[CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator.

• Python issue: bpo-42967
• Creation date: 2021-01-19
• Reporter: Adam Goldschmidt

CVE-2021-23336¶

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

• CVE ID: CVE-2021-23336
• Published: 2021-02-15
• CVSS Score: 4.0

Timeline¶

Timeline using the disclosure date 2021-01-19 as reference:

• 2020-10-19 (-92 days): Reported (email sent to the PSRT list)
• 2021-01-19: Python issue bpo-42967 reported by Adam Goldschmidt
• 2021-02-14 (+26 days): commit fcbe0cb (branch 3.10)
• 2021-02-15 (+27 days): CVE-2021-23336 published
• 2021-02-15 (+27 days): commit 5c17dfc (branch 3.6)
• 2021-02-15 (+27 days): commit c9f0781 (branch 3.9)
• 2021-02-15 (+27 days): commit d0d4d30 (branch 3.7)
• 2021-02-15 (+27 days): commit e3110c3 (branch 3.8)
• 2021-02-16 (+28 days): Python 3.6.13 released
• 2021-02-16 (+28 days): Python 3.7.10 released
• 2021-02-19 (+31 days): Python 3.8.8 released
• 2021-02-19 (+31 days): Python 3.9.2 released
• 2021-10-04: Python 3.10.0 released

Links¶

• https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
• https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933