[Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

Steven D'Aprano steve at pearwood.info
Thu Feb 23 23:36:57 EST 2017

I haven't seen any response to the following alleged security 

I am not qualified to judge the merits of this, but it does seem 
worrying that (alledgedly) the Python security team hasn't responded for 
over 12 months.

Is anyone able to comment?



On Mon, Feb 20, 2017 at 09:01:21PM +0000, nospam at curso.re wrote:
> Hello,
> I have just noticed that an FTP injection advisory has been made public
> on the oss-security list.
> The author says that he an exploit exists but it won't be published
> until the code is patched
> You may be already aware, but it would be good to understand what is the
> position of the core developers about this.
> The advisory is linked below (with some excerpts in this message):
> http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html
>    Protocol injection flaws like this have  been an area of research of  mine
>    for the past few couple  of years and as it  turns out, this FTP  protocol
>    injection allows  one  to  fool  a victim's  firewall  into  allowing  TCP
>    connections from  the Internet  to  the vulnerable  host's system  on  any
>    "high" port  (1024-65535).  A  nearly identical  vulnerability  exists  in
>    Python's urllib2 and urllib  libraries. In the case  of Java, this  attack
>    can be carried out  against desktop users even  if those desktop users  do
>    not have the Java browser plugin enabled.
>    As of 2017-02-20, the vulnerabilities discussed here have not been patched
>    by the associated vendors,  despite advance warning and  ample time to  do
>    so.
>    [...]
>    Python's built-in URL fetching library (urllib2 in Python 2 and urllib  in
>    Python 3) is vulnerable to  a nearly identical protocol stream  injection,
>    but this injection appears  to be limited to  attacks via directory  names
>    specified in the URL.
>    [...]
>    The Python  security  team  was  notified  in  January  2016.  Information
>    provided included an outline of  the possibility of FTP/firewall  attacks.
>    Despite repeated follow-ups, there  has been no  apparent action on  their
>    part.
> Best regards,
> -- Stefano
> P.S.
> I am posting from gmane, I hope that this is OK.
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/steve%40pearwood.info

More information about the Python-Dev mailing list