The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
2.1.0 → fixed in 2.6.0
Details
The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.
The fix
Don't ascribe cookies to the target domain.
requests/sessions.py+1 −1
@@ -171,7 +171,7 @@ def resolve_redirects(self, resp, req, stream=False, timeout=None,except KeyError:pass-extract_cookies_to_jar(prepared_request._cookies, prepared_request, resp.raw)+extract_cookies_to_jar(prepared_request._cookies, req, resp.raw)prepared_request._cookies.update(self.cookies)prepared_request.prepare_cookies(prepared_request._cookies)
References
- WEBhttp://www.openwall.com/lists/oss-security/2015/03/15/1
- ADVISORYhttp://www.ubuntu.com/usn/USN-2531-1
- WEBhttp://www.openwall.com/lists/oss-security/2015/03/14/4
- FIXhttps://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc
- WEBhttps://warehouse.python.org/project/requests/2.6.0/
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/153594.html
- ADVISORYhttp://advisories.mageia.org/MGASA-2015-0120.html
- ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2015:133
- ADVISORYhttps://github.com/advisories/GHSA-pg2w-x9wp-vw92