Vigil@nce - python-requests for Kerberos: spoof of an HTTP server
November 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can spoof an HTTP server, for instance in order to
receive sensitive information or send illicit responses.
– Impacted products: Fedora, Windows (platform), Unix (platform)
– Severity: 2/4
– Creation date: 05/11/2014
DESCRIPTION OF THE VULNERABILITY
The module requests-kerberos for the library python-requests is
used to authenticate the HTTP client and the server.
However, the code that actually authenticate the server is not run
because of a missing delegation to the common processing part. So
the client is authenticated for the server, but the server is not
for the client.
An attacker can therefore spoof an HTTP server, for instance in
order to receive sensitive information or send illicit responses.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/python-requests-for-Kerberos-spoof-of-an-HTTP-server-15592