CVE-2018-16478

Vulnerability

A path traversal vulnerability exists in simplehttpserver versions <=0.2.1 (also reported as <=0.3.0 in one advisory [3]). The application fails to properly validate file paths, allowing users to traverse directories and list files outside the intended web root [1][2]. This affects all installations using the default configuration when the server is started without additional path restrictions.

Exploitation

An attacker with network access to the server can exploit this by crafting HTTP requests containing path traversal sequences (e.g., ../) in the URL [1]. No authentication or special privileges are required, as the server is typically exposed to serve files. A reported HackerOne submission (ID 403703) details the exploit steps [1][2].

Impact

Successful exploitation allows an attacker to list files in arbitrary directories outside the web root, leading to information disclosure [1][2][3]. This can expose sensitive files such as configuration files, source code, or other data stored on the server. The impact is limited to directory listing and file read; no remote code execution or file write is described in the references.

Mitigation

The vulnerability is fixed in version 0.2.1+ (or 0.3.0+ per some sources) [2][3]. Users should upgrade to the latest patched version. As a temporary workaround, avoid exposing simplehttpserver to untrusted networks or use a reverse proxy with path validation. The project may be inactive; no further patches are described for newer reported versions.