The Python folks have discovered a flaw in SimpleXMLRPCServer that can affect any XML-RPC servers. This affects any programs have been written that allow remote untrusted users to do unrestricted traversal and can allow them to access or change function internals using the im_* and func_* attributes.
2.3.5 will be released soon to fix this problem.
The exploit only works when register_instance() is called with an instance that does not implement _dispatch(). XML-RPC servers that use register_function() instead of register_instance() are not vulnerable. Unfortunately most XML-RPC tutorials use register_instance() without pointing out the recursive traversal feature.
Embargo until 1600 UTC today. See advisory and patches @ http://www.python.org/security/PSF-2005-001/
Now public on bug 80592 *** This bug has been marked as a duplicate of 80592 ***