Bugs item #1473048, was opened at 2006-04-19 11:45 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1473048&group_id=5470
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Python Library Group: None Status: Open Resolution: None Priority: 5 Submitted By: A.M. Kuchling (akuchling) Assigned to: Nobody/Anonymous (nobody) Summary: SimpleXMLRPCServer responds to any path Initial Comment: SimpleXMLRPCServer and DocXMLRPCServer don't look at the path of the HTTP request at all; you can POST or GET from / or /RPC2 or /blahblahblah with the same results. One minor problem with this liberality is that a security scanner that looks for vulnerable scripts such as /cgi-bin/phf will report the server as vulnerable. Nessus, for example, reports dozens of security holes on a SimpleXMLRPCServer for this reason. Fix: add a check that only allows '/' or '/RPC2' (maybe just /RPC2?). ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1473048&group_id=5470 _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
