(repost) Advisory: HTTP Header Injection in Python urllib

Random832 random832 at fastmail.com
Fri Jun 17 23:52:21 EDT 2016


On Fri, Jun 17, 2016, at 21:00, Steven D'Aprano wrote:
> The author doesn't go into details of what sort of attacks against
> localhost they're talking about. An unauthenticated service running on
> localhost implies, to me, a single-user setup, where presumably the
> single-user has admin access to localhost. So I'm not really sure what
> "risk" they have

The issue - especially clearly in this context, which demonstrates a
working exploit for this vulnerability - is cross-site request forgery.
Which doesn't technically require the victim service to be HTTP (I
remember a proof of concept a while back which would trick a browser
into connecting to an IRC server), so long as it can ignore HTTP
headers.


More information about the Python-list mailing list