[issue38230] A Path Traversal vulnerability in ssl_servers.py
New submission from longwenzhang : There is a Path Traversal vulnerability in https://github.com/python/cpython/blob/master/Lib/test/ssl_servers.py (on windows platform), Steps to reproduce: 1.Run the script https://github.com/python/cpython/blob/master/Lib/test/ssl_servers.py 2.If you visit the https://127.0.0.1:4433/ , you will see the files in the current directory, But if you visit the https://127.0.0.1:4433/c:../,you will jump to parent directory, and if you visit https://127.0.0.1:4433/d:../ , you will see the files of D:\ 3.I'm sure it’s a Path Traversal and I think the problem is at https://github.com/python/cpython/blob/master/Lib/test/ssl_servers.py#L71 , there is no check about “word”. -- components: Tests messages: 352844 nosy: longwenzhang priority: normal severity: normal status: open title: A Path Traversal vulnerability in ssl_servers.py type: security versions: Python 3.7 ___ Python tracker <https://bugs.python.org/issue38230> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue38230] A Path Traversal vulnerability in test/ssl_servers.py
longwenzhang added the comment: It seems to be only used in test. Does it need to be repaired? -- ___ Python tracker <https://bugs.python.org/issue38230> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py
New submission from longwenzhang :
It's "Lib/DocXMLRPCServer.py" in python2x or "Lib/xmlrpc/server.py" in python3x.
Steps to reproduce:
1.Lib/DocXMLRPCServer.py is “a documenting XML-RPC Server“,In the Class
ServerHTMLDoc, method markup(), will escape the Special symbols to safe(such as
<," etc).
2.But it only escape the content from server.set_server_name() and
server.set_server_documentation(),the "title" content from the
server.set_server_title() will not be escaped, so if I
set_server_title('123alert(1)'), it will cause XSS
because not escaped.
3.I see the alert in Chrome by visiting http://127.0.0.1,the Poc is the
poc.py(run in python2.7) in attachments.
4.Problems seems to be at
https://github.com/python/cpython/blob/master/Lib/xmlrpc/server.py#L897 "return
documenter.page(self.server_title,documentation)".Before this line,variable
"documentation" has been escaped but self.server_title not.This is the main
cause.
--
components: Library (Lib)
files: poc.py
messages: 352921
nosy: longwenzhang
priority: normal
severity: normal
status: open
title: A reflected XSS in python/Lib/DocXMLRPCServer.py
type: security
versions: Python 3.7
Added file: https://bugs.python.org/file48619/poc.py
___
Python tracker
<https://bugs.python.org/issue38243>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
