pyramid_debugtoolbar icon indicating copy to clipboard operation
pyramid_debugtoolbar copied to clipboard
verified publisher icon Pylons

Make sure that we're not vulnerable to DNS rebinding attack

Open ztane opened this issue 9 years ago • 4 comments

It started with Rails; now there was CVE 2016-9014 in Django; someone should make sure that pyramid_debugtoolbar is not vulnerable. This attack allows a malicious site being opened in any browser to access the debug console - the hostname of the request must be validated.

ztane avatar Nov 03 '16 18:11 ztane

Hostname is not validated.

digitalresistor avatar Nov 04 '16 03:11 digitalresistor

I don't see a way to mitigate this easily but I'm open to suggestions.

mmerickel avatar Apr 06 '17 04:04 mmerickel

This is pretty serious stuff...

I don't see a way to mitigate this easily but I'm open to suggestions

Check host like @ztane said. If there is a hostname in the request, compare to a configuration setting, like "permitted hosts". Is there anything I'm missing ?

a3kov avatar May 29 '17 18:05 a3kov

This would be better implemented as a tween/middleware/component of the core Pyramid package, and then called from there. That would allow developer applications to leverage the protection.

Every Pyramid application/component is vulnerable to DNS rebinding without checking an "allowed hosts" list. The debugtoolbar is a more attractive exploit because, like certain components of django and rails, it has a structured API and published hooks/entrypoints exploitable.

jvanasco avatar Aug 09 '17 07:08 jvanasco