[ python-Bugs-1473048 ] SimpleXMLRPCServer responds to any path
SourceForge.net
noreply at sourceforge.net
Wed Apr 19 17:45:24 CEST 2006
Bugs item #1473048, was opened at 2006-04-19 11:45
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1473048&group_id=5470
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Library
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: A.M. Kuchling (akuchling)
Assigned to: Nobody/Anonymous (nobody)
Summary: SimpleXMLRPCServer responds to any path
Initial Comment:
SimpleXMLRPCServer and DocXMLRPCServer don't look at
the path of the HTTP request at all; you can POST or
GET from / or /RPC2 or /blahblahblah with the same results.
One minor problem with this liberality is that a
security scanner that looks for vulnerable scripts such
as /cgi-bin/phf will report the server as vulnerable.
Nessus, for example, reports dozens of security holes
on a SimpleXMLRPCServer for this reason.
Fix: add a check that only allows '/' or '/RPC2' (maybe
just /RPC2?).
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1473048&group_id=5470
More information about the Python-bugs-list
mailing list