Summary
This host is installed with Python and is prone to Information Disclosure vulnerability.
Impact
Successful exploitation could allow attackers to gain access to potentially sensitive information contained in arbitrary scripts by requesting cgi script without / in the beginnig of URL.
Solution
Apply the patch from below link,
http://svn.python.org/view?view=revision&revision=71303
*****
NOTE: Ignore this warning if above mentioned patch is already applied.
*****
Insight
The flaw is due to an error when handling 'is_cgi' method in 'CGIHTTPServer.py' in the 'CGIHTTPServer module', which allows an attcker to supply a specially crafted request without the leading '/' character to the CGIHTTPServer.
Affected
Python version 2.5, 2.6, and 3.0
References
Severity
Classification
-
CVE CVE-2011-1015 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- Apple Safari JavaScript Implementation Information Disclosure Vulnerability (Windows)
- Apple QuickTime Multiple Arbitrary Code Execution Vulnerabilities (Win)
- Active Perl CGI.pm 'Set-Cookie' and 'P3P' HTTP Header Injection Vulnerability (Win)
- Apache Tomcat XML External Entity Information Disclosure Vulnerability
- Adobe Reader 'SWF' Information Disclosure Vulnerability (Windows)