[issue19435] Directory traversal attack for CGIHTTPRequestHandler
Alexander Kruppa
report at bugs.python.org
Tue Oct 29 17:34:01 CET 2013
New submission from Alexander Kruppa:
An error in separating the path and filename of the CGI script to run in http.server.CGIHTTPRequestHandler allows running arbitrary executables in the directory under which the server was started.
The problem is that in CGIHTTPRequestHandler we have:
def run_cgi(self):
"""Execute a CGI script."""
path = self.path
dir, rest = self.cgi_info
i = path.find('/', len(dir) + 1)
where path is the uncollapsed path in the URL, but cgi_info contains the first path segment and the rest from the *collapsed* path as filled in by is_cgi(), so indexing into path via len(dir) is incorrect.
An example exploit is giving the request path:
///////////badscript.sh/../cgi-bin/cgi.sh
Note that Firefox and wget at least simplify the path in the request; to make sure this exact path is used, do for example:
(echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1"; echo) | telnet localhost 4443
This causes the CGIHTTPRequestHandler to execute the badscript.sh file in the directory in which the server was started, so script execution is not restricted to the cgi-bin/ or htbin/ subdirectories.
----------
components: Library (Lib)
messages: 201645
nosy: Alexander.Kruppa
priority: normal
severity: normal
status: open
title: Directory traversal attack for CGIHTTPRequestHandler
type: security
versions: Python 3.2
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue19435>
_______________________________________
More information about the Python-bugs-list
mailing list