Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #110082
| From | Random832 <random832@fastmail.com> |
|---|---|
| Newsgroups | comp.lang.python |
| Subject | Re: (repost) Advisory: HTTP Header Injection in Python urllib |
| Date | 2016-06-17 23:52 -0400 |
| Message-ID | <mailman.112.1466221943.2288.python-list@python.org> (permalink) |
| References | <87shwbmz0l.fsf@nightsong.com> <57649d22$0$1603$c3e8da3$5496439d@news.astraweb.com> <1466221941.3662846.641269641.7FFA59B4@webmail.messagingengine.com> |
On Fri, Jun 17, 2016, at 21:00, Steven D'Aprano wrote: > The author doesn't go into details of what sort of attacks against > localhost they're talking about. An unauthenticated service running on > localhost implies, to me, a single-user setup, where presumably the > single-user has admin access to localhost. So I'm not really sure what > "risk" they have The issue - especially clearly in this context, which demonstrates a working exploit for this vulnerability - is cross-site request forgery. Which doesn't technically require the victim service to be HTTP (I remember a proof of concept a while back which would trick a browser into connecting to an IRC server), so long as it can ignore HTTP headers.
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
(repost) Advisory: HTTP Header Injection in Python urllib Paul Rubin <no.email@nospam.invalid> - 2016-06-17 11:49 -0700
Re: (repost) Advisory: HTTP Header Injection in Python urllib Steven D'Aprano <steve@pearwood.info> - 2016-06-18 11:00 +1000
Re: (repost) Advisory: HTTP Header Injection in Python urllib Random832 <random832@fastmail.com> - 2016-06-17 23:52 -0400
Re: (repost) Advisory: HTTP Header Injection in Python urllib Steven D'Aprano <steve@pearwood.info> - 2016-06-19 02:02 +1000
Re: (repost) Advisory: HTTP Header Injection in Python urllib alister <alister.ware@ntlworld.com> - 2016-06-18 16:38 +0000
Re: (repost) Advisory: HTTP Header Injection in Python urllib Random832 <random832@fastmail.com> - 2016-06-18 13:28 -0400
Re: (repost) Advisory: HTTP Header Injection in Python urllib Steven D'Aprano <steve@pearwood.info> - 2016-06-22 01:27 +1000
Re: (repost) Advisory: HTTP Header Injection in Python urllib Jon Ribbens <jon+usenet@unequivocal.co.uk> - 2016-06-21 16:09 +0000
Re: (repost) Advisory: HTTP Header Injection in Python urllib Paul Rubin <no.email@nospam.invalid> - 2016-06-18 13:43 -0700
Re: (repost) Advisory: HTTP Header Injection in Python urllib Marko Rauhamaa <marko@pacujo.net> - 2016-06-18 11:35 +0300
csiph-web