(repost) Advisory: HTTP Header Injection in Python urllib

Jon Ribbens jon+usenet at unequivocal.co.uk
Tue Jun 21 12:09:02 EDT 2016

On 2016-06-21, Steven D'Aprano <steve at pearwood.info> wrote:
> "In our case, if we could fool an internal Python application into fetching
> a URL for us, then we could easily access memcached instances. Consider the
> URL: ..."
> and then they demonstrate an attack against memcache. Except, the author of
> the article knows the port that memcache is on, and he doesn't have to fool
> anyone into fetching a hostile URL. He just fetched it himself.

memcached, like most services, has a default port. If you know or can
guess that memcached is in use then you probably know the right port

Bear in mind that some very successful attacks rely on quite specific
circumstances but bear fruit anyway if you can manage to do some sort
of scripted attack against a large number of potential victims.

> "In our case, if we could fool a person into pointing a gun at their foot
> and pulling the trigger, we can blow their foot off. Here is a
> proof-of-concept..." (points gun at own foot and pulls trigger)

No, that's not a fair comparison at all.

> Absent an actual attack that demonstrates the "fool an internal application"
> part, I don't think I'm going to lose too much sleep over this. My house
> has many dangerous items, like kitchen knives, power tools and the like. If
> somebody could fool me into, say, hitting myself on the head with a hammer,
> that would be bad.

That's not a valid analogy either. A more appropriate analogy would be
that if someone could get you to hit a specific ordinary-looking nail
then your hammer will bounce off and hit you in the head.

> Maybe I'm missing something, but while I acknowledge the general position 
> "here's a security flaw", and I accept that it needs to be fixed, I'm not
> seeing that this is a sufficiently realistic attack enough to justify
> requiring authentication for all internal services.

I agree, although it is certainly something that people ought to bear
in mind. And it is something that should certainly be fixed in Python.

More information about the Python-list mailing list