Skip to content

Report of Open Redirect Vulnerability in Python 3.9.19 - Utilizing Simple HTTP #132826

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
hnagashimauu opened this issue Apr 23, 2025 · 4 comments
Closed

Report of Open Redirect Vulnerability in Python 3.9.19 - Utilizing Simple HTTP #132826

hnagashimauu opened this issue Apr 23, 2025 · 4 comments
Labels
invalid

Comments

@hnagashimauu
Copy link

hnagashimauu commented Apr 23, 2025
edited by hugovk
Loading

Bug Report

Description

We identified that when using Simple HTTP in Python 3.9.19 with the payload /\\oast.me/%2e%2e%2f, an open redirect vulnerability arises.
This could potentially allow attackers to redirect users to malicious websites or resources, leading to phishing attacks or the exploitation of sensitive information.

Steps to Reproduce

  1. Run the following code with Python 3.9.19.
#!/usr/bin/env python3
from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer

address = ''
port = 8080
Handler = SimpleHTTPRequestHandler
TCPServer((address, port), Handler).serve_forever()
  1. Craft a payload containing /\\oast.me/%2e%2e%2f..
  2. Attempt to access the server with the crafted payload.
  3. Observe the redirection behavior.

Output of curl

$ curl --noproxy "*" -I -x GET http://127.0.0.1:8080/\\oast.me/%2e%2e%2f
HTTP/1.0 301 Moved Permanently
Server: SimpleHTTP/0.6 Python/3.9.19
Date: Mon, 21 Apr 2025 11:06:08 GMT
Location: /\oast.me/%2e%2e%2f/
Content-Length: 0

Issue

If the URL path contains /\\oast.me/%2e%2e%2f, the response of Location header includes /\oast.me/%2e%2e%2f/.
It redirects to http://oast.me/..%2f/.

Expected Result

If the Location header starts with /, it is interpreted as a relative path on the same server.

Version

3.9.19
3.9.21
3.8.18
3.12.5

OS

Ubuntu 20.04.6 LTS

Related Issue

#118312
@hnagashimauu hnagashimauu added the type-bug An unexpected behavior, bug, or error label Apr 23, 2025
@hugovk hugovk added type-security A security issue type-bug An unexpected behavior, bug, or error and removed type-bug An unexpected behavior, bug, or error labels Apr 23, 2025
@hugovk
Copy link
Member

hugovk commented Apr 23, 2025

This could potentially allow attackers to redirect users to malicious websites or resources, leading to phishing attacks or the exploitation of sensitive information.

Keep in mind the big warning at the top of https://docs.python.org/3/library/http.server.html :

Warning: http.server is not recommended for production. It only implements basic security checks.

@ZeroIntensity ZeroIntensity added 3.11 only security fixes 3.10 only security fixes 3.9 only security fixes 3.12 only security fixes 3.13 bugs and security fixes 3.14 bugs and security fixes labels Apr 24, 2025
@ZeroIntensity
Copy link
Member

Keep in mind the big warning at the top of https://docs.python.org/3/library/http.server.html :

That said, I think this probably falls under the category of "basic security checks." I've tentatively added all the version labels, but I'm also fine with backporting this to only 3.13 as a bugfix.

@picnixz picnixz added the stdlib Python modules in the Lib dir label Apr 24, 2025
@picnixz
Copy link
Member

picnixz commented Apr 24, 2025

http.server is really meant to be used for serving files locally, and/or in a testing envionrment, or in an environment that students need to attack for whatever reasons. I won't consider this a security issue personally and I wouldn't bother indicating this as well.

Making it so to avoid open redirect vulnerabilities is honestly too much for this module. cc @gpshead

@picnixz picnixz added the pending The issue will be closed if no feedback is provided label Apr 24, 2025
@vadmium
Copy link
Member

vadmium commented Apr 25, 2025
edited by hugovk
Loading

Craft a payload containing /\\oast.me/%2e%2e%2f..

I think the double backslash was only intended for the shell command line. The argument passed to Curl and the HTTP protocol only get a single backslash.

The following production may be conceptually easier to understand:

$ mkdir '\oast.me'  # Directory causes Python to redirect
$ curl -I --location -vs -o /dev/null 'http://127.0.0.1:8080/\oast.me'
. . .
> HEAD /\oast.me HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 301 Moved Permanently
< Server: SimpleHTTP/0.6 Python/3.12.9
< Date: Fri, 25 Apr 2025 00:26:32 GMT
< Location: /\oast.me/
< Content-Length: 0
<
* Closing connection 0
* Issue another request to this URL: 'http://127.0.0.1:8080/\oast.me/'
. . .
> HEAD /\oast.me/ HTTP/1.0
> Host: 127.0.0.1:8080
> User-Agent: curl/7.68.0
> Accept: */*

Location header includes /\oast.me/%2e%2e%2f/. It redirects to http://oast.me/..%2f/.

To redirect to a different host, the client would have to interpret the backslash like a second forward slash. None of the versions of Curl I tried did this. I did find the Chrome browser interpreted the redirect as to the host //oast.me, but I did not find a way for Chrome to make an initial HTTP request with the backslash.

The problem is that the Python server accepts a backslash character in the request, handles it like an unreserved URL character, and includes the backslash in the URL its response. However a backslash is not allowed in URLs according to RFC 3986. It is plausible that a client could interpret the backslash differently like Chrome did.

This is a case of garbage in, garbage out. Ideally a server would send a valid HTTP response, such as a 400 Bad Request error, or with the backslash encoded as %5C.

@picnixz picnixz closed this as not planned Won't fix, can't repro, duplicate, stale Jun 7, 2025
@ZeroIntensity ZeroIntensity added invalid and removed type-bug An unexpected behavior, bug, or error type-security A security issue stdlib Python modules in the Lib dir 3.11 only security fixes 3.10 only security fixes 3.9 only security fixes pending The issue will be closed if no feedback is provided 3.12 only security fixes 3.13 bugs and security fixes 3.14 bugs and security fixes labels Jun 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@vadmium @hugovk @picnixz @ZeroIntensity @hnagashimauu
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy