Re: [Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

2017-02-23 Thread Steven D'Aprano 
I haven't seen any response to the following alleged security 
vulnerability.

I am not qualified to judge the merits of this, but it does seem 
worrying that (alledgedly) the Python security team hasn't responded for 
over 12 months.

Is anyone able to comment?


Thanks,


Steve


On Mon, Feb 20, 2017 at 09:01:21PM +, [email protected] wrote:
> Hello,
> 
> I have just noticed that an FTP injection advisory has been made public
> on the oss-security list.
> 
> The author says that he an exploit exists but it won't be published
> until the code is patched
> 
> You may be already aware, but it would be good to understand what is the
> position of the core developers about this.
> 
> The advisory is linked below (with some excerpts in this message):
> 
> http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html
> 
>Protocol injection flaws like this have  been an area of research of  mine
>for the past few couple  of years and as it  turns out, this FTP  protocol
>injection allows  one  to  fool  a victim's  firewall  into  allowing  TCP
>connections from  the Internet  to  the vulnerable  host's system  on  any
>"high" port  (1024-65535).  A  nearly identical  vulnerability  exists  in
>Python's urllib2 and urllib  libraries. In the case  of Java, this  attack
>can be carried out  against desktop users even  if those desktop users  do
>not have the Java browser plugin enabled.
>As of 2017-02-20, the vulnerabilities discussed here have not been patched
>by the associated vendors,  despite advance warning and  ample time to  do
>so.
>[...]
>Python's built-in URL fetching library (urllib2 in Python 2 and urllib  in
>Python 3) is vulnerable to  a nearly identical protocol stream  injection,
>but this injection appears  to be limited to  attacks via directory  names
>specified in the URL.
>[...]
>The Python  security  team  was  notified  in  January  2016.  Information
>provided included an outline of  the possibility of FTP/firewall  attacks.
>Despite repeated follow-ups, there  has been no  apparent action on  their
>part.
> 
> Best regards,
> 
> -- Stefano
> 
> P.S.
> I am posting from gmane, I hope that this is OK.
> 
> ___
> Python-Dev mailing list
> [email protected]
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: 
> https://mail.python.org/mailman/options/python-dev/steve%40pearwood.info
> 
___
Python-Dev mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

2017-02-23 Thread Benjamin Peterson 


On Thu, Feb 23, 2017, at 20:36, Steven D'Aprano wrote:
> I haven't seen any response to the following alleged security 
> vulnerability.
> 
> I am not qualified to judge the merits of this, but it does seem 
> worrying that (alledgedly) the Python security team hasn't responded for 
> over 12 months.

Like all CPython developers, the Python security team are all
volunteers. That combined with the fact that dealing with security
issues is one of the least fun programming tasks means issues are
sometimes dropped.

Perhaps some organization with a stake Python security would like to
financially support Python security team members.

As for this, particular issue, we should determine if there's a tracker
issue yet and continue discussion there.
___
Python-Dev mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com