CVE-2011-4940: SimpleHTTPServer UTF-7

The list_directory() function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.

  • Disclosure date: 2011-03-08 (Python issue #11442 reported)
  • Reported by: email received on the Python security list

Fixed In

Python issue

list_directory() in SimpleHTTPServer.py should add charset=... to Content-type header.

  • Python issue: issue #11442
  • Creation date: 2011-03-08
  • Reporter: Guido van Rossum

CVE-2011-4940

The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.

Timeline

Timeline using the disclosure date 2011-03-08 as reference:

  • 2011-03-08: Python issue #11442 reported by Guido van Rossum
  • 2011-03-17 (+9 days): commit 3853586
  • 2011-05-26 (+79 days): Python 2.5.6 released
  • 2011-06-03 (+87 days): Python 2.6.7 released
  • 2011-06-11 (+95 days): Python 2.7.2 released
  • 2012-06-27 (+477 days): CVE-2011-4940 published
  • 2013-04-07 (+761 days): Python 3.2.4 released
  • 2013-04-07 (+761 days): Python 3.3.1 released
  • 2014-03-16: Python 3.4.0 released