Upstream developers were notified today (2008-04-02). Affected versions: 0.7.3-0.9.3 (and probably earlier versions) Details: ======== In certain configurations with file-based session storage, it is possible for an attacker to put arbitrary information into a session. beaker does not check the session id carefully enough so it is possible to choose an arbitrary file (with the file suffix '.cache') on the server which is used as the source for the session information. The session files are processed by Python's pickle module so it is even possible to execute code on the server by using a carefully crafted pickle file. This is because util.encoded_path() does only concatenate the session id (provided by the cookie) with a root directory if no digesting option is chosen. A proof-of-concept exploit is attached (put the session file into an arbitrary directory and change the path in exploit.py accordingly, execute start-demo.py and run exploit.py). This is essentially the same problem as in CherryPy [1]. I created a preliminary patch which may fix the problem but I'm not sure if it has some side-effects. [1] http://www.cherrypy.org/ticket/744
Created attachment 148140 [details, diff] preliminary patch
Sorry for not following this up any earlier. Felix, did you hear back from upstream?
Upstream did commit my patch in the hg repo (https://www.knowledgetap.com/hg/beaker, changesets 678944e06a25 and 157ac6801b7b) a few days ago but did not release (to my best knowlegde) an updated version. Maybe you could ask them if they want to do a release soon. Btw: The security issue can be avoided by digesting the session ids. This option is already present in current beaker versions.
Python herd, please bump.
Thanks, Felix, your patch was included upstream in 0.9.4 which I added to CVS.
