Message 201645 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	Alexander.Kruppa
Recipients	Alexander.Kruppa
Date	2013年10月29日.16:34:01
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1383064441.57.0.197155402259.issue19435@psf.upfronthosting.co.za>

Content
An error in separating the path and filename of the CGI script to run in http.server.CGIHTTPRequestHandler allows running arbitrary executables in the directory under which the server was started. The problem is that in CGIHTTPRequestHandler we have: def run_cgi(self): """Execute a CGI script.""" path = self.path dir, rest = self.cgi_info i = path.find('/', len(dir) + 1) where path is the uncollapsed path in the URL, but cgi_info contains the first path segment and the rest from the collapsed path as filled in by is_cgi(), so indexing into path via len(dir) is incorrect. An example exploit is giving the request path: ///////////badscript.sh/../cgi-bin/cgi.sh Note that Firefox and wget at least simplify the path in the request; to make sure this exact path is used, do for example: (echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1"; echo) \| telnet localhost 4443 This causes the CGIHTTPRequestHandler to execute the badscript.sh file in the directory in which the server was started, so script execution is not restricted to the cgi-bin/ or htbin/ subdirectories.

Content

An error in separating the path and filename of the CGI script to run in http.server.CGIHTTPRequestHandler allows running arbitrary executables in the directory under which the server was started.
The problem is that in CGIHTTPRequestHandler we have:
 def run_cgi(self): 
 """Execute a CGI script.""" 
 path = self.path 
 dir, rest = self.cgi_info 
 
 i = path.find('/', len(dir) + 1) 
where path is the uncollapsed path in the URL, but cgi_info contains the first path segment and the rest from the *collapsed* path as filled in by is_cgi(), so indexing into path via len(dir) is incorrect.
An example exploit is giving the request path:
///////////badscript.sh/../cgi-bin/cgi.sh
Note that Firefox and wget at least simplify the path in the request; to make sure this exact path is used, do for example:
 (echo "GET ///////////badscript.sh/../cgi-bin/cgi.sh HTTP/1.1"; echo) | telnet localhost 4443
This causes the CGIHTTPRequestHandler to execute the badscript.sh file in the directory in which the server was started, so script execution is not restricted to the cgi-bin/ or htbin/ subdirectories.

History
Date	User	Action	Args
2013年10月29日 16:34:01	Alexander.Kruppa	set	recipients: + Alexander.Kruppa
2013年10月29日 16:34:01	Alexander.Kruppa	set	messageid: <1383064441.57.0.197155402259.issue19435@psf.upfronthosting.co.za>
2013年10月29日 16:34:01	Alexander.Kruppa	link	issue19435 messages
2013年10月29日 16:34:01	Alexander.Kruppa	create

homepage