[Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

nospam at curso.re nospam at curso.re
Mon Feb 20 16:01:21 EST 2017


I have just noticed that an FTP injection advisory has been made public
on the oss-security list.

The author says that he an exploit exists but it won't be published
until the code is patched

You may be already aware, but it would be good to understand what is the
position of the core developers about this.

The advisory is linked below (with some excerpts in this message):


   Protocol injection flaws like this have  been an area of research of  mine
   for the past few couple  of years and as it  turns out, this FTP  protocol
   injection allows  one  to  fool  a victim's  firewall  into  allowing  TCP
   connections from  the Internet  to  the vulnerable  host's system  on  any
   "high" port  (1024-65535).  A  nearly identical  vulnerability  exists  in
   Python's urllib2 and urllib  libraries. In the case  of Java, this  attack
   can be carried out  against desktop users even  if those desktop users  do
   not have the Java browser plugin enabled.
   As of 2017-02-20, the vulnerabilities discussed here have not been patched
   by the associated vendors,  despite advance warning and  ample time to  do
   Python's built-in URL fetching library (urllib2 in Python 2 and urllib  in
   Python 3) is vulnerable to  a nearly identical protocol stream  injection,
   but this injection appears  to be limited to  attacks via directory  names
   specified in the URL.
   The Python  security  team  was  notified  in  January  2016.  Information
   provided included an outline of  the possibility of FTP/firewall  attacks.
   Despite repeated follow-ups, there  has been no  apparent action on  their

Best regards,

-- Stefano

I am posting from gmane, I hope that this is OK.

More information about the Python-Dev mailing list