Issue Details (XML | Word | Printable)

Key: MODPYTHON-135
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Jim Gallacher
Reporter: Graham Dumpleton
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
mod_python

[SECURITY] A Security Issue with FileSession in 3.2.7

Created: 17/Feb/06 01:32 PM   Updated: 09/Oct/09 11:46 PM
Return to search
Component/s: session
Affects Version/s: 3.2.7
Fix Version/s: 3.2.8, 3.3.1

Time Tracking:
Not Specified

Resolution Date: 06/Mar/06 02:47 AM


 Description  « Hide
As announced on the mailing list:

  http://www.modpython.org/pipermail/mod_python/2006-February/020284.html

If you are using the recently released mod_python 3.2.7 please beware that a
security issue was discovered in the FileSession code.

You are vulnerable only if you are using mod_python 3.2.7 AND you are using
FileSession to keep sessions. FileSession is new in 3.2.7 and is not enabled by
default, therefore if you are using mod_python Session in its default
configuration you are not vulnerable.

The extent of this vulnerability is limited. Only a user who already has an
account (or some ability to write to the filesystem) on the system running
httpd could exploit it, and to the best of our knowledge such a user could
potentially cause httpd to execute arbitrary code.

We are working on a security release of the next version of mod_python and
expect it to be out shortly. Until then, please do not use FileSession.

 All   Comments   Work Log   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
No work has yet been logged on this issue.

Powered by a free Atlassian JIRA open source license for Apache Software Foundation. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators