New submission from Benjamin Peterson:
From the security list:
The CGIHTTPServer Python module does not properly handle URL-encoded
path separators in URLs. This may enable attackers to disclose a CGI
script's source code or execute arbitrary scripts in the server's
document root.
Details
===
Product: Python CGIHTTPServer
Affected Versions: 2.7.5, 3.3.4 (possibly others)
Fixed Versions: FIXED-VERSIONS
Vulnerability Type: File Disclosure, Directory Traversal
Security Risk: high
Vendor URL: https://docs.python.org/2/library/cgihttpserver.html
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-008
Advisory Status: private
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Introduction
The CGIHTTPServer module defines a request-handler class, interface
compatible with BaseHTTPServer. BaseHTTPRequestHandler and inherits
behavior from SimpleHTTPServer. SimpleHTTPRequestHandler but can also
run CGI scripts.
(from the Python documentation)
More Details
The CGIHTTPServer module can be used to set up a simple HTTP server with
CGI scripts. A sample server script in Python may look like the
following:
#!/usr/bin/env python2
import CGIHTTPServer
import BaseHTTPServer
if __name__ == __main__:
server = BaseHTTPServer.HTTPServer
handler = CGIHTTPServer.CGIHTTPRequestHandler
server_address = (, 8000)
# Note that only /cgi-bin will work:
handler.cgi_directories = [/cgi-bin, /cgi-bin/subdir]
httpd = server(server_address, handler)
httpd.serve_forever()
This server should execute any scripts located in the subdirectory
cgi-bin. A sample CGI script can be placed in that directory, for
example a script like the following:
#!/usr/bin/env python2
import json
import sys
db_credentials = SECRET
sys.stdout.write(Content-type: text/json\r\n\r\n)
sys.stdout.write(json.dumps({text: This is a Test}))
The Python library CGIHTTPServer.py implements the CGIHTTPRequestHandler
class which inherits from SimpleHTTPServer.SimpleHTTPRequestHandler:
class SimpleHTTPRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
[...]
def do_GET(self):
Serve a GET request.
f = self.send_head()
if f:
try:
self.copyfile(f, self.wfile)
finally:
f.close()
def do_HEAD(self):
Serve a HEAD request.
f = self.send_head()
if f:
f.close()
def translate_path(self, path):
[...]
path = posixpath.normpath(urllib.unquote(path))
words = path.split('/')
words = filter(None, words)
path = os.getcwd()
[...]
The CGIHTTPRequestHandler class inherits, among others, the methods
do_GET() and do_HEAD() for handling HTTP GET and HTTP HEAD requests. The
class overrides send_head() and implements several new methods, such as
do_POST(), is_cgi() and run_cgi():
class CGIHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
[...]
def do_POST(self):
[...]
if self.is_cgi():
self.run_cgi()
else:
self.send_error(501, Can only POST to CGI scripts)
def send_head(self):
Version of send_head that support CGI scripts
if self.is_cgi():
return self.run_cgi()
else:
return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
def is_cgi(self):
[...]
collapsed_path = _url_collapse_path(self.path)
dir_sep = collapsed_path.find('/', 1)
head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
if head in self.cgi_directories:
self.cgi_info = head, tail
return True
return False
[...]
def run_cgi(self):
Execute a CGI script.
dir, rest = self.cgi_info
[...]
# dissect the part after the directory name into a script name
# a possible additional path, to be stored in PATH_INFO.
i = rest.find('/')
if i = 0:
script, rest = rest[:i], rest[i:]
else:
script, rest = rest, ''
scriptname = dir + '/' + script
scriptfile = self.translate_path(scriptname)
if not os.path.exists(scriptfile):
self.send_error(404, No such CGI script (%r) % scriptname)
return
if not os.path.isfile(scriptfile):
self.send_error(403, CGI script is not a plain file (%r) %
scriptname)
return
[...]
[...]
For HTTP GET requests, do_GET() first invokes send_head(). That method
calls is_cgi() to determine whether the
