Re: Was a CVE ever assigned for Python SimpleHTTPServer.py XSS?

[Kurt Seifried <kseifried () redhat com>]

On 03/14/2012 02:44 PM, Vincent Danen wrote:
> I'm not sure if a CVE was ever assigned to this or not; it's an older
> issue that's fixed in 2.5.x and 2.6.x (I suspect 2.7.x is fixed too, but
> I cannot find a commit to be 100% sure).  It sounds awfully familiar
> though.

grep -i SimpleHTTPServer allitems.csv

shows nothing, nothing in mail folders, etc. Checked Google, some CVE's
for SimpleHTTPServer show up but nothing like below.

> A flaw was reported in Python's SimpleHTTPServer's list_directory()
> function.  Due to a missing charset parameter, if a user were to connect
> to SimpleHTTPServer using IE7, which engages in encoding-sniffing and
> can be tricked into interpretting the output as UTF7.  Because of this,
> an attacker could hide <script> tags in UTF7-encoded characters which do
> not get quoted by cgi.encode(), allowing XSS attacks.
>
> This has been corrected upstream in version 2.6.7rc2 and 2.5.6c1.  It
> may be fixed in 2.7 as well, but I was unable to find a commit to match
> it against.
>
> References:
> http://bugs.python.org/issue11442
> http://svn.python.org/view/python/branches/release26-maint/Lib/SimpleHTTPServer.py?r1=66717&r2=88831&view=patch
>
> http://svn.python.org/view/python/branches/release25-maint/Lib/SimpleHTTPServer.py?r1=53148&r2=88815&view=patch
>
> https://bugzilla.redhat.com/show_bug.cgi?id=803500

Please use CVE-2011-4940 for this issue.


-- 
Kurt Seifried Red Hat Security Response Team (SRT)