urllib3.util.ssl_ has no attribute DEFAULT_CIPHERS

nuts7 / CVE-2023-27372

SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.

62 stars 7 forks source link

urllib3.util.ssl_ has no attribute DEFAULT_CIPHERS #1

Closed D3vil0p3r closed 2 weeks ago

D3vil0p3r commented 1 month ago

Hey @nuts7 when the script is run by Python3.12, I get:

Traceback (most recent call last):
  File "/home/athena/CVE-2023-27372/./CVE-2023-27372.py", line 63, in <module>
    requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'urllib3.util.ssl_' has no attribute 'DEFAULT_CIPHERS'

I would avoid to downgrade Python (I'm using NixOS). Is it possible to fix this issue on the script code itself?

nuts7 commented 1 month ago

Hi @D3vil0p3r,

You don't need to downgrade your Python version, but you can downgrade your version of the urllib3 module: pip3 install 'urllib3<2' (I should have specified this in requirements.txt file when I wrote the PoC my bad)

However, if you still want to edit code without downgrading, something like this should work: Fixing SSLV3_ALERT_HANDSHAKE_FAILURE with urllib3 2.0

Note that you can also simply comment out these lines if your web server doesn't use HSTS

D3vil0p3r commented 1 week ago

@nuts7 this issue has been closed because the error message for Python3.12 has been fixed upstream?