The is_cgi() method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI.
Dates:
Disclosure date: 2008-03-07 (Python issue bpo-2254 reported)
Python 2.7.0 (2010-07-03) fixed by commit 923ba36 (branch 2.7) (2009-04-06)
Python 3.2.4 (2013-04-06) fixed by commit 923ba36 (branch 2.7) (2009-04-06)
Python 3.3.1 (2013-04-06) fixed by commit 923ba36 (branch 2.7) (2009-04-06)
Python 3.4.0 (2014-03-16) fixed by commit 923ba36 (branch 2.7) (2009-04-06)
Python CGIHTTPServer information disclosure.
Python issue: bpo-2254
Creation date: 2008-03-07
Reporter: sumar
The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI.
CVE ID: CVE-2011-1015
Published: 2011-05-09
CVSS Score: 5.0
Timeline using the disclosure date 2008-03-07 as reference:
2008-03-07: Python issue bpo-2254 reported by sumar
2009-04-06 (+395 days): commit 923ba36 (branch 2.7)
2010-07-03 (+848 days): Python 2.7.0 released
2011-05-09 (+1158 days): CVE-2011-1015 published
2013-04-06 (+1856 days): Python 3.2.4 released
2013-04-06 (+1856 days): Python 3.3.1 released
2014-03-16: Python 3.4.0 released
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4