Python's SimpleHTTPServer class is a simple HTTP server, documented as serving up the content of the pwd and below readonly via GET and HEAD commands: $ python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... However, by inserting "../" path fragments within the path section of the URL, it's possible to traverse other directories within the filesystem. For example: lynx localhost:8000/../../../../.. shows 5 directories above in the directory structure. We can also browse /proc and /sys on this example using: lynx localhost:8000/../../../../../../../../proc lynx localhost:8000/../../../../../../../../sys (by browsing to find the correct number of ".." entries to locate the root directory). http://bugs.python.org/issue11197
http://bugs.python.org/issue11197#msg139056 suggests that this bug cannot be reproduced. Also SimpleHTTPServer is supposed to serve contents from the current directory and any directories below it. Closing this issue.
This is NOT a security issue, in fact this is not a bug at all. lynx was used incorrectly. This resulted in files being viewed from the local system and not from the web. Reference: http://bugs.python.org/issue11197#msg139554
I asked MITRE (via the http://cveform.mitre.org/) to REJECT the CVE.
Statement: Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.