Report of Open Redirect Vulnerability in Python 3.9.11 - Utilizing Simple HTTP

[barttran2k]

Bug report

Bug description:

Vulnerability Details:

• Affected Version: Python 3.9.11
• Vulnerability Type: Open Redirect
• Payload: //interact.sh/%2f..

Description:
During our testing and analysis, we identified that when using Simple HTTP in Python 3.9.11 with the payload //interact.sh/%2f.., an open redirect vulnerability arises. This could potentially allow attackers to redirect users to malicious websites or resources, leading to phishing attacks or the exploitation of sensitive information.

Steps to Reproduce:

1. Set up a server using Python 3.9.11 with Simple HTTP.
2. Craft a payload containing //interact.sh/%2f..
3. Attempt to access the server with the crafted payload.
4. Observe the redirection behavior.

Impact:
This vulnerability poses a significant risk to the security of applications and systems utilizing Python 3.9.11, as it can be exploited by malicious actors to perform various attacks, including phishing and unauthorized access to sensitive information.

CPython versions tested on:

3.9

Operating systems tested on:

Linux, macOS, Windows

[ericvsmith]

Please provide sample code.

[barttran2k]

[ericvsmith]

Thanks. For those using screen readers, it would be better to not paste an image. For reference, the command line is:

python -m http.server 9999

The documentation for the http module states:
Warning http.server is not recommended for production. It only implements basic security checks.

[tunedal]

I think this is a duplicate of issue #87389 which was fixed in Python 3.9.14. When I apply that patch to 3.9.2, the example here (GET //fb.com/%2f..) is not reproducible anymore.

[ericvsmith]

Thanks for verifying, @tunedal. I'll wait a little while and then close this.

@barttran2k: Does this resolve your issue?

[barttran2k]

I have checked the fix information again and it is true that it has been fixed since 3.9.14. Thank you @tunedal @ericvsmith