Latest YouTube Video

Thursday, June 16, 2016

[FD] Blindspot Advisory: HTTP Header Injection in Python urllib

Python's built-in URL library ("urllib2" in 2.x and "urllib" in 3.x) is vulnerable to protocol stream injection attacks (a.k.a. "smuggling" attacks) via the http scheme. If an attacker could convince a Python application using this library to fetch an arbitrary URL, or fetch a resource from a malicious web server, then these injections could allow for a great deal of access to certain internal services. URLs of the following form allow injection into the HTTP stream: http://127.0.0.1%0d%0aX-injected:%20header%0d%0ax-leftover:%20:12345/foo http://localhost%00%0d%0ax-bar:%20:12345/foo More details here: http://ift.tt/1XXmPEE Thank you, tim

Source: Gmail -> IFTTT-> Blogger

No comments: