Fluid Attacks Database

Description

The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	python2.7	>=0 <2.7.2-8	2.7.2-8
rpm rhel6	python	<0:2.6.6-29.el6_2.2	0:2.6.6-29.el6_2.2
rpm rhel5	python	<0:2.4.3-46.el5_8.2	0:2.4.3-46.el5_8.2

Aliases

1. CVE-2011-49402. NVD-2011-49403. OSV-DEBIAN-2011-49404. OSV-2011-49405. SECURITY-TRACKER-CVE-2011-4940

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.