Closed rxwx closed 4 years ago
We put a requirements.txt downgrading the version to the non-sanitized one as a stop gap due to the newer version normalizing. Had to do with a RFC change in urllib3. I have an open issue out for them but will take a peek at this one to see if it works. Thanks!
Sounds good, thanks 👍
This is an awesome fix. Thank you very much @rxwx. Tested and working. Going through some testing now but will have this committed shortly. Thanks again.
Resolved in scanner and exploit. Thanks again for this solution.
with requests.Session() as s:
r = requests.Request(method='POST', url=url, data=data, headers=headers)
prep = r.prepare()
prep.url = url
req = s.send(prep, verify=False)
The current version of urllib3 normalizes the request path when using the python requests module like this:
This will result in the request getting normalised to:
The impact is that if you are running the latest urllib3/python3 then the exploit will fail on Virtual IP interfaces but not on management interfaces (since traversal is not required there).
The scanner check won't lead to false negatives, because although the path is normalized, it will still hit the
/vpns/
path which is blocked in the mitigation.The fix is to use PreparedRequests and swap the URL out after normalization: