The urlparse module treats semicolon as a separator, whereas most proxies today only take ampersands as separators.
When the attacker can separate query parameters using a semicolon ;, they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter - such as utm_* parameters, which are usually unkeyed.
The fix is to only use ampersands & as separators, and add a separator parameter to chose the separator characters.
Dates:
Disclosure date: 2021-01-19 (Python issue bpo-42967 reported)
Reported at: 2020-10-19 (email sent to the PSRT list)
Reported by: Adam Goldschmidt (Snyk)
Python 3.6.13 (2021-02-16) fixed by commit 5c17dfc (branch 3.6) (2021-02-15)
Python 3.7.10 (2021-02-16) fixed by commit d0d4d30 (branch 3.7) (2021-02-15)
Python 3.8.8 (2021-02-19) fixed by commit e3110c3 (branch 3.8) (2021-02-15)
Python 3.9.2 (2021-02-19) fixed by commit c9f0781 (branch 3.9) (2021-02-15)
Python 3.10.0 (2021-10-04) fixed by commit fcbe0cb (branch 3.10) (2021-02-14)
[CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator.
Python issue: bpo-42967
Creation date: 2021-01-19
Reporter: Adam Goldschmidt
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
CVE ID: CVE-2021-23336
Published: 2021-02-15
CVSS Score: 4.0
Timeline using the disclosure date 2021-01-19 as reference:
2020-10-19 (-92 days): Reported (email sent to the PSRT list)
2021-01-19: Python issue bpo-42967 reported by Adam Goldschmidt
2021-02-14 (+26 days): commit fcbe0cb (branch 3.10)
2021-02-15 (+27 days): CVE-2021-23336 published
2021-02-15 (+27 days): commit 5c17dfc (branch 3.6)
2021-02-15 (+27 days): commit c9f0781 (branch 3.9)
2021-02-15 (+27 days): commit d0d4d30 (branch 3.7)
2021-02-15 (+27 days): commit e3110c3 (branch 3.8)
2021-02-16 (+28 days): Python 3.6.13 released
2021-02-16 (+28 days): Python 3.7.10 released
2021-02-19 (+31 days): Python 3.8.8 released
2021-02-19 (+31 days): Python 3.9.2 released
2021-10-04: Python 3.10.0 released
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4