This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Cross-site scripting on BaseHTTPServer
Type: Stage:
Components: Extension Modules Versions: Python 2.3
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: georg.brandl Nosy List: georg.brandl, georg.brandl, paj28
Priority: normal Keywords:

Created on 2005-01-11 15:04 by paj28, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Messages (2)
msg23922 - (view) Author: Paul Johnston (paj28) Date: 2005-01-11 15:04

There is a minor XSS flaw in BaseHTTPServer, in the
default error message, if you try connecting with a bad
method name, e.g.:

pugsley:/srv/www/htdocs # telnet risk 8000
Connected to risk.
Escape character is '^]'.
<SCRIPT>alert('hello')</SCRIPT> / HTTP/1.0

HTTP/1.0 501 Unsupported method
Server: SimpleHTTP/0.6 Python/2.3.4
Date: Tue, 11 Jan 2005 15:02:48 GMT
Content-Type: text/html
Connection: close

<title>Error response</title>
<h1>Error response</h1>
<p>Error code 501.
<p>Message: Unsupported method
<p>Error code explanation: 501 = Server does not
support this operation.
Connection closed by foreign host.

This is not likely to be a major security risk, but
ideally it should be fixed. In addition it may be that
other error messages exhibit this flaw, I haven't done
a code audit.

Credit for discovery: Richard Moore

Best wishes,

msg23923 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2005-06-26 21:35
Logged In: YES 

Thanks for the report. This is fixed as of
Lib/ r1.30, r1.29.4.1.
Date User Action Args
2022-04-11 14:56:09adminsetgithub: 41422
2005-01-11 15:04:06paj28create