Bypassing blacklists based on IPy

2014-10-17T00:00:00
ID SECURITYVULNS:DOC:31294
Type securityvulns
Reporter Securityvulns
Modified 2014-10-17T00:00:00

Description

IPy is a Python "class and tools for handling of IPv4 and IPv6 addresses and networks" (https://github.com/haypo/python-ipy). This library is sometimes used to implement blacklists forbidding internal, private or loopback addresses.

Using octal encoding (supported by urllib2), it is possible to bypass checks based on the result of the iptype() function. For example, IP address '0177.0000.0000.0001' is considered as 'PUBLIC' but resolves to '127.0.0.1' when accessed via urllib2.

Developers were informed, no news since then... More details on my blog: http://www.agarri.fr/kom/archives/2014/10/15/bypassing_blacklists_based_on_ipy/index.html

Cheers, Nicolas Gregoire