Django two url jump vulnerability analysis: CVE-2017-7233&7234-vulnerability warning-the black bar safety net

! [](/Article/UploadPic/2017-4/201741434638176. png? www. myhack58. com)
Django official News&Event in the 4 on 4, released a security update that fixes two URL jump loopholes, one is the urlparse pot, the other by long Dinh tech security researcher phithon report, are very beautiful. Because there are replicate Django vulnerability of habit, the evening pumping up the time to reproduce it. Interesting point kinda. The two vulnerability analysis together, scrape together the article.
CVE-2017-7233 analysis — Django is_safe_url() the URL to jump to the filter function of the Bypass
Foreign security researcher roks0n provided to the Django official of a vulnerability.
On is_safe_url function
Django comes with a function: django. utils. http. is_safe_url(url, host=None, allowed_hosts=None, require_https=False) for filtering the need for the jump of the url. If the url is safe then return ture, insecurity, false is returned. The document is as follows:
print(is_safe_url.__ doc__)
Return True if the url is a safe redirection (i.e. it doesn’t point to
a different host and uses a safe scheme).
Always returns False on an empty url.
If require_https is True, only ‘https’ will be considered a valid
scheme, as opposed to ‘http’ and ‘https’ with the default, False.
Let’s look at the conventional of the several usages:
from django. utils. http import is_safe_url
In [2]: is_safe_url(‘http://baidu.com’)
Out[2]: False
In [3]: is_safe_url(‘baidu.com’)
Out[3]: True
In [5]: is_safe_url(‘aaaaa’)
Out[5]: True
In [8]: is_safe_url(‘//blog.neargle.com’)
Out[8]: False
In [7]: is_safe_url(‘http://google.com/adadadadad’,'blog.neargle.com’)
Out[7]: False
In [13]: is_safe_url(‘http://blog.neargle.com/aaaa/bbb’, ‘blog.neargle.com’)
Out[13]: True
Visible in the absence of the designated second parameter of the host case,the url if the non-relative path, i.e., the HttpResponseRedirect function will jump to another site, the is_safe_url it is determined that it is unsafe url,如果 指定 了 host 为 blog.neargle.com then is_safe_url will determine whether the url belongs to the’blog.neargle.com’if the url is’blog.neargle.com’or the relative path of the url, it is determined that the url is safe.
urllib. parse. urlparse special case
The problem lies in the function of the domain name and the method of determination is based on urllib. parse. urlparse,source code is as follows(the django/utils/http.py):
def _is_safe_url(url, host):
if url. startswith(‘///’):
return False
url_info = urlparse(url)
if not url_info. netloc and url_info. scheme:
return False
if unicodedata. category(url[0])[0] == ‘C’:
return False
return ((not url_info. netloc or url_info. netloc == host) and
(not url_info. scheme or url_info. the scheme in [‘http’, ‘https’]))
We take a look at the urlparse conventional usage and several urlparse unable to handle the special case.
>>> urlparse(‘http://blog.neargle.com/2017/01/09/chrome-ext-spider-for-probe/’)
ParseResult(scheme=‘http’, netloc=‘blog.neargle.com’, path=‘/2017/01/09/ chrome-ext-spider-for-probe/’, params=“, query=”, fragment=“)
>>> urlparse(‘ftp:99999999’)
ParseResult(scheme=”, netloc=“, path=‘ftp:99999999’, params=”, query=“, fragment=”)
>>> urlparse(‘http:99999999’)
ParseResult(scheme=‘http’, netloc=“, path=‘99999999’, params=”, query=“, fragment=”)
>>> urlparse(‘https:99999999’)
ParseResult(scheme=“, netloc=”, path=‘https:99999999’, params=“, query=”, fragment=“)
>>> urlparse(‘javascript:222222’)
ParseResult(scheme=”, netloc=“, path=‘javascript:222222’, params=”, query=“, fragment=”)
>>> urlparse(‘ftp:aaaaaaa’)
ParseResult(scheme=‘ftp’, netloc=“, path=‘aaaaaaa’, params=”, query=“, fragment=”)
>>> urlparse(‘ftp:127.0.0.1’)
ParseResult(scheme=‘ftp’, netloc=“, path=‘127.0.0.1’, params=”, query=“, fragment=”)
>>> urlparse(‘ftp:127.0.0.1’)
ParseResult(scheme=‘ftp’, netloc=“, path=‘127.0.0.1’, params=”, query=“, fragment=”)
Can be found when the scheme is not equal to http, and the path is purely digital,urlparse processing, for example, aaaa:2222222223 the case is not properly divided, will all return to the path. In this case url_info. netloc == url_info. scheme = = ""then((not url_info. netloc or url_info. netloc == host) and (not url_info. scheme or url_info. the scheme in [‘http’, ‘https’]))is true. Here, incidentally,django official News&Event mentioned in the poc:”http:99999999”is unable to bypass, in front of the judge if not url_info. netloc and url_info. scheme:it can not.） For example, the following situations:
>>> is_safe_url(‘http:555555555’)
False
>>> is_safe_url(‘ftp:23333333333’)
True
>>> is_safe_url(‘https:2333333333’)
True
The use of IP Decimal Bypass is_safe_url
But since it is a url jump vulnerability, we need to make a jump to the specified url, https:2333333333这样的url明显是无法访问的 and colon must be followed by pure digital,http:127.0.0.1 是 无法 pypass 的 the. What method? In fact, ip is not only the common dotted decimal notation,a decimal number can also represent an ip address,the browser is also supported. For example: 127.0.0.1 == 2130706433, 8.8.8.8 == 134744072(Converter:http://www. ipaddressguide. com/ip),and’http:2130706433’is on the browser can access to the corresponding ip and services, i.e.‘http:2130706433 = http://127.0.0.1/’ the.

[1] [2] [3] Next