New submission from Alexander Kruppa:
An error in separating the path and filename of the CGI script to run in
http.server.CGIHTTPRequestHandler allows running arbitrary executables in the
directory under which the server was started.
The problem is that in CGIHTTPRequestHandler we have:
def run_cgi(self):
"""Execute a CGI script."""
path = self.path
dir, rest = self.cgi_info
i = path.find('/', len(dir) + 1)
where path is the uncollapsed path in the URL, but cgi_info contains the first
path segment and the rest from the *collapsed* path as filled in by is_cgi(),
so indexing into path via len(dir) is incorrect.
An example exploit is giving the request path:
///////////badscript.sh/../cgi-bin/cgi.sh
Note that Firefox and wget at least simplify the path in the request; to make
sure this exact path is used, do for example:
(echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1"; echo) |
telnet localhost 4443
This causes the CGIHTTPRequestHandler to execute the badscript.sh file in the
directory in which the server was started, so script execution is not
restricted to the cgi-bin/ or htbin/ subdirectories.
----------
components: Library (Lib)
messages: 201645
nosy: Alexander.Kruppa
priority: normal
severity: normal
status: open
title: Directory traversal attack for CGIHTTPRequestHandler
type: security
versions: Python 3.2
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue19435>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
