.. _cgi-directory-traversal-is_cgi:

CGI directory traversal (is_cgi() function)
===========================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2011-1015>`_.

The ``is_cgi()`` method in ``CGIHTTPServer.py`` in the ``CGIHTTPServer``
module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script
source code via an HTTP GET request that lacks a ``/`` (slash) character at
the beginning of the URI.

Dates:

* Disclosure date: **2008-03-07** (Python issue bpo-2254 reported)

Fixed In
--------

* Python **2.7.0** (2010-07-03) fixed by `commit 923ba36 (branch 2.7) <https://github.com/python/cpython/commit/923ba361d8f757f0656cfd216525aca4848e02aa>`_ (2009-04-06)
* Python **3.2.4** (2013-04-06) fixed by `commit 923ba36 (branch 2.7) <https://github.com/python/cpython/commit/923ba361d8f757f0656cfd216525aca4848e02aa>`_ (2009-04-06)
* Python **3.3.1** (2013-04-06) fixed by `commit 923ba36 (branch 2.7) <https://github.com/python/cpython/commit/923ba361d8f757f0656cfd216525aca4848e02aa>`_ (2009-04-06)
* Python **3.4.0** (2014-03-16) fixed by `commit 923ba36 (branch 2.7) <https://github.com/python/cpython/commit/923ba361d8f757f0656cfd216525aca4848e02aa>`_ (2009-04-06)

Python issue
------------

Python CGIHTTPServer information disclosure.

* Python issue: `bpo-2254 <https://bugs.python.org/issue2254>`_
* Creation date: 2008-03-07
* Reporter: sumar

CVE-2011-1015
-------------

The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI.

* CVE ID: `CVE-2011-1015 <https://nvd.nist.gov/vuln/detail/CVE-2011-1015/>`_
* Published: 2011-05-09
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.0

Timeline
--------

Timeline using the disclosure date **2008-03-07** as reference:

* 2008-03-07: `Python issue bpo-2254 <https://bugs.python.org/issue2254>`_ reported by sumar
* 2009-04-06 (**+395 days**): `commit 923ba36 (branch 2.7) <https://github.com/python/cpython/commit/923ba361d8f757f0656cfd216525aca4848e02aa>`_
* 2010-07-03 (**+848 days**): Python 2.7.0 released
* 2011-05-09 (**+1158 days**): CVE-2011-1015 published
* 2013-04-06 (**+1856 days**): Python 3.2.4 released
* 2013-04-06 (**+1856 days**): Python 3.3.1 released
* 2014-03-16: Python 3.4.0 released