[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Why exception from os.path.exists()?

On Thu, 07 Jun 2018 22:46:09 +1000, Chris Angelico wrote:

>> I wonder how many publicly facing web servers can be induced to either
>> crash, or serve the wrong content, this way?
> Define "serve the wrong content". You could get the exact same content
> by asking for "te" instead of "te%00st.html"; 

Perhaps so, but maybe you can bypass access controls to te and get access 
to it even though it is supposed to be private.

This is a real vulnerability, called null-byte injection.

One component of the system sees a piece of input, truncates it at the 
NULL, and validates the truncated input; then another component acts on 
the untruncated (and unvalidated) input.



Null-byte injection attacks have lead to remote attackers executing 
arbitrary code. That's unlikely in this scenario, but given that most web 
servers are written in C, not Python, it is conceivable that they could 
do anything under a null-byte injection attack.

Does the Python web server suffer from that vulnerability? I would be 
surprised if it were. But it can be induced to crash (an exception, not a 
seg fault) which is certainly a vulnerability.

Since people are unlikely to use this web server to serve mission 
critical public services over the internet, the severity is likely low. 
Nevertheless, it is still a real vulnerability.

Steven D'Aprano
"Ever since I learned about confirmation bias, I've been seeing
it everywhere." -- Jon Ronson