Message 23922 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	paj28
Recipients
Date	2005-01-11.15:04:06
SpamBayes Score
Marked as misclassified
Message-id
In-reply-to

Content
Hi, There is a minor XSS flaw in BaseHTTPServer, in the default error message, if you try connecting with a bad method name, e.g.: pugsley:/srv/www/htdocs # telnet risk 8000 Trying 192.168.3.52... Connected to risk. Escape character is '^]'. <SCRIPT>alert('hello')</SCRIPT> / HTTP/1.0 HTTP/1.0 501 Unsupported method ("<SCRIPT>alert('hello')</SCRIPT>") Server: SimpleHTTP/0.6 Python/2.3.4 Date: Tue, 11 Jan 2005 15:02:48 GMT Content-Type: text/html Connection: close <head> <title>Error response</title> </head> <body> <h1>Error response</h1> <p>Error code 501. <p>Message: Unsupported method ("<SCRIPT>alert('hello')</SCRIPT>"). <p>Error code explanation: 501 = Server does not support this operation. </body> Connection closed by foreign host. This is not likely to be a major security risk, but ideally it should be fixed. In addition it may be that other error messages exhibit this flaw, I haven't done a code audit. Credit for discovery: Richard Moore Best wishes, Paul

Hi,

There is a minor XSS flaw in BaseHTTPServer, in the
default error message, if you try connecting with a bad
method name, e.g.:

pugsley:/srv/www/htdocs # telnet risk 8000
Trying 192.168.3.52...
Connected to risk.
Escape character is '^]'.
<SCRIPT>alert('hello')</SCRIPT> / HTTP/1.0

HTTP/1.0 501 Unsupported method
("<SCRIPT>alert('hello')</SCRIPT>")
Server: SimpleHTTP/0.6 Python/2.3.4
Date: Tue, 11 Jan 2005 15:02:48 GMT
Content-Type: text/html
Connection: close

<head>
<title>Error response</title>
</head>
<body>
<h1>Error response</h1>
<p>Error code 501.
<p>Message: Unsupported method
("<SCRIPT>alert('hello')</SCRIPT>").
<p>Error code explanation: 501 = Server does not
support this operation.
</body>
Connection closed by foreign host.

This is not likely to be a major security risk, but
ideally it should be fixed. In addition it may be that
other error messages exhibit this flaw, I haven't done
a code audit.

Credit for discovery: Richard Moore

Best wishes,

Paul

History
Date	User	Action	Args
2007-08-23 14:28:54	admin	link	issue1100201 messages
2007-08-23 14:28:54	admin	create