Your submission was sent successfully! Close

CVE-2011-4940

Published: 27 June 2012

The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.

Notes

AuthorNote
tyhicks
A duplicate CVE was incorrectly assigned as CVE-2012-2639
Priority

Medium

Status

Package Release Status
python2.4
Launchpad, Ubuntu, Debian
hardy
Released (2.4.5-1ubuntu4.4)
lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric Does not exist

precise Does not exist

upstream Needs triage

python2.5
Launchpad, Ubuntu, Debian
hardy
Released (2.5.2-2ubuntu6.2)
lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric Does not exist

precise Does not exist

upstream
Released (2.5.6)
Patches:
upstream: http://svn.python.org/view/python/branches/release25-maint/Lib/SimpleHTTPServer.py?r1=53148&r2=88815&view=patch
upstream: http://hg.python.org/cpython/rev/e9724d7abbc2



python2.6
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid
Released (2.6.5-1ubuntu6.1)
maverick Ignored
(reached end-of-life)
natty
Released (2.6.6-6ubuntu7.1)
oneiric Not vulnerable
(2.6.7-4ubuntu1)
precise Does not exist

upstream
Released (2.6.7-1)
Patches:


upstream: http://svn.python.org/view/python/branches/release26-maint/Lib/SimpleHTTPServer.py?r1=66717&r2=88831&view=patch
upstream: http://hg.python.org/cpython/rev/8cdb95cf096e

python2.7
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

maverick Ignored
(reached end-of-life)
natty
Released (2.7.1-5ubuntu2.2)
oneiric Not vulnerable
(2.7.2-5ubuntu1)
precise Not vulnerable
(2.7.2-13ubuntu5)
upstream
Released (2.7.2-8)
Patches:




upstream: http://hg.python.org/cpython/rev/e9724d7abbc2/