Python's SimpleHTTPServer class is a simple HTTP server, documented as
serving up the content of the pwd and below readonly via GET and HEAD
$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
However, by inserting "../" path fragments within the path section of
the URL, it's possible to traverse other directories within the
shows 5 directories above in the directory structure.
We can also browse /proc and /sys on this example using:
(by browsing to find the correct number of ".." entries to locate the
suggests that this bug cannot be reproduced.
Also SimpleHTTPServer is supposed to serve contents from the current directory and any directories below it.
Closing this issue.
This is NOT a security issue, in fact this is not a bug at all. lynx was used incorrectly. This resulted in files being viewed from the local system and not from the web.
I asked MITRE (via the http://cveform.mitre.org/) to REJECT the CVE.
Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.