CVE-2011-4940

CVSS v2.0

2.6

Low

Vector

AV:N/AC:H/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Python versions prior to 2.5.6c1 Python versions 2.6.x prior to 2.6.7 rc2 Python versions 2.7.x prior to 2.7.2

Description The issue concerns the list directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer, which does not include a charset parameter in the Content-Type HTTP header. This omission makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks, particularly against Internet Explorer 7, by utilizing UTF-7 encoding.

Recommendations For Python versions prior to 2.5.6c1, update to version 2.5.6c1 or later. For Python versions 2.6.x prior to 2.6.7 rc2, update to version 2.6.7 rc2 or later. For Python versions 2.7.x prior to 2.7.2, update to version 2.7.2 or later.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CESA-2012_0744

CVE-2011-4940

DLA-25-1

PSF-2012-1

RHSA-2012:0744

RHSA-2012:0745

RHSA-2012_0744

RHSA-2012_0745

Affected Products

Centos

Internet Explorer

Python

Red Hat

CVE-2011-4940

Weakness Enumeration

Related Identifiers

Affected Products

References · 37