80109 – dev-python/mod_python CAN-2005-0088 XML flaw

Bug 80109 - dev-python/mod_python CAN-2005-0088 XML flaw

Summary: dev-python/mod_python CAN-2005-0088 XML flaw

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://archives.neohapsis.com/archive...
Whiteboard:	A4? [glsaupdate] jaervosz
Keywords:

Duplicates (2):	81827 83074 (view as bug list)
Depends on:
Blocks:

Reported:	2005-01-30 11:02 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2005-12-13 11:36 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
publisher.diff (publisher.diff,1.42 KB, patch) 2005-01-30 22:28 UTC, Sune Kloppenborg Jeppesen (RETIRED)	no flags	Details \| Diff
publisher-2.diff (publisher-2.diff,1.35 KB, patch) 2005-02-09 02:44 UTC, Thierry Carrez (RETIRED)	no flags	Details \| Diff
mod_python-3.1.3.ebuild (mod_python-3.1.3.ebuild,1.83 KB, text/plain) 2005-02-11 09:25 UTC, Rob Cakebread (RETIRED)	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-30 11:02:38 UTC

Graham Dumpleton discovered a flaw which can affect anyone using the
publisher handle of the Apache Software Foundation mod_python.  The
publisher handle lets you publish objects inside modules to make them
callable via URL.  The flaw allows a carefully crafted URL to obtain extra
information that should not be visible (information leak).

Although this flaw is similar in nature to the Python issue bug #80094,
it has a lesser impact.
        The fix (tennatively) is this patch to the publisher.py file. As a 
        super-quick hack perhaps dissalowing access to anything that contains 
        "func_" in the apache config may be the way to go.

--- publisher.py.orig   Fri Jan 28 10:26:34 2005
+++ publisher.py        Fri Jan 28 10:33:22 2005
@@ -260,15 +260,31 @@
      (period) to find the last one we're looking for.
      """

-    for obj_str in  object_str.split('.'):
+    parts = object_str.split('.')
+
+    for n range(len(parts)):
+
          obj = getattr(obj, obj_str)
+        obj_type = type(obj)

-        # object cannot be a module
-        if type(obj) == ModuleType:
+        # object cannot be a module or a class
+        if obj_type in [ClassType, ModuleType]:
              raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND

-        realm, user, passwd = process_auth(req, obj, realm,
-                                           user, passwd)
+        if n < (len(parts)-1):
+
+            # all but the last object ...
+
+            # ...must be instance
+            if obj_type != InstanceType:
+                raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
+
+            # ...can't be callable
+            if callable(obj):
+                raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
+
+            realm, user, passwd = process_auth(req, obj, realm,
+                                               user, passwd)

      return obj

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-30 11:03:49 UTC

POC given but not oncluded on this bug.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-30 22:28:58 UTC

Created attachment 50028 [details, diff]
publisher.diff

Updated patch.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-02-09 02:44:56 UTC

Created attachment 50803 [details, diff]
publisher-2.diff

Better patch

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-02-11 02:49:53 UTC

This is public now. Python please provide an updated ebuild.

Comment 5 Rob Cakebread (RETIRED) gentoo-dev

2005-02-11 09:25:19 UTC

Created attachment 51011 [details]
mod_python-3.1.3.ebuild

Comment 6 Rob Cakebread (RETIRED) gentoo-dev

2005-02-11 11:46:35 UTC

Patched 3.1.3 and bumped it to 3.1.3-r1, added both to CVS

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-02-11 12:00:47 UTC

This one is ready for GLSA.

Comment 8 Elfyn McBratney (beu) (RETIRED) gentoo-dev

2005-02-13 00:04:36 UTC


*** This bug has been marked as a duplicate of 81827 ***

Comment 9 Elfyn McBratney (beu) (RETIRED) gentoo-dev

2005-02-13 00:09:45 UTC

Re-opening - again, so so sorry people. :/

Comment 10 Michael Stewart (vericgar) (RETIRED) gentoo-dev

2005-02-13 00:15:49 UTC

*** Bug 81827 has been marked as a duplicate of this bug. ***

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-02-13 02:17:47 UTC

GLSA 200502-14

Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev

2005-02-23 08:33:58 UTC

*** Bug 83074 has been marked as a duplicate of this bug. ***

Comment 13 Stefan Cornelius (RETIRED) gentoo-dev

2005-12-07 06:50:46 UTC

Reopening after a 3/4 year ...
Someone please mark mod_python-2.7.11 stable on x86 as it suffers the same
vulnerability and all apache1 users need this one to be secure. We might have to
update the glsa later, not sure atm.

Comment 14 Bryan Østergaard (RETIRED) gentoo-dev

2005-12-10 15:44:16 UTC

Stabled 2.7.11 on x86.

Comment 15 Thierry Carrez (RETIRED) gentoo-dev

2005-12-11 10:02:26 UTC

I think this one needs a GLSA update

Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-12-12 22:31:46 UTC

Updated i GLSAmaker, awaiting review.

Comment 17 Thierry Carrez (RETIRED) gentoo-dev

2005-12-13 05:53:38 UTC

Looks OK except Resolution should read :

# emerge --sync
# emerge --ask --oneshot --verbose dev-python/mod_python

Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-12-13 06:47:26 UTC

Fixed in GLSAmaker without version bump.

Comment 19 Thierry Carrez (RETIRED) gentoo-dev

2005-12-13 09:41:58 UTC

OK for me, clear to go.

Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-12-13 11:36:53 UTC

Committed. 
 
Thx Stefan.