Graham Dumpleton discovered a flaw which can affect anyone using the publisher handle of the Apache Software Foundation mod_python. The publisher handle lets you publish objects inside modules to make them callable via URL. The flaw allows a carefully crafted URL to obtain extra information that should not be visible (information leak). Although this flaw is similar in nature to the Python issue bug #80094, it has a lesser impact. The fix (tennatively) is this patch to the publisher.py file. As a super-quick hack perhaps dissalowing access to anything that contains "func_" in the apache config may be the way to go. --- publisher.py.orig Fri Jan 28 10:26:34 2005 +++ publisher.py Fri Jan 28 10:33:22 2005 @@ -260,15 +260,31 @@ (period) to find the last one we're looking for. """ - for obj_str in object_str.split('.'): + parts = object_str.split('.') + + for n range(len(parts)): + obj = getattr(obj, obj_str) + obj_type = type(obj) - # object cannot be a module - if type(obj) == ModuleType: + # object cannot be a module or a class + if obj_type in [ClassType, ModuleType]: raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND - realm, user, passwd = process_auth(req, obj, realm, - user, passwd) + if n < (len(parts)-1): + + # all but the last object ... + + # ...must be instance + if obj_type != InstanceType: + raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND + + # ...can't be callable + if callable(obj): + raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND + + realm, user, passwd = process_auth(req, obj, realm, + user, passwd) return obj
POC given but not oncluded on this bug.
Created attachment 50028 [details, diff] publisher.diff Updated patch.
Created attachment 50803 [details, diff] publisher-2.diff Better patch
This is public now. Python please provide an updated ebuild.
Created attachment 51011 [details] mod_python-3.1.3.ebuild
Patched 3.1.3 and bumped it to 3.1.3-r1, added both to CVS
This one is ready for GLSA.
*** This bug has been marked as a duplicate of 81827 ***
Re-opening - again, so so sorry people. :/
*** Bug 81827 has been marked as a duplicate of this bug. ***
GLSA 200502-14
*** Bug 83074 has been marked as a duplicate of this bug. ***
Reopening after a 3/4 year ... Someone please mark mod_python-2.7.11 stable on x86 as it suffers the same vulnerability and all apache1 users need this one to be secure. We might have to update the glsa later, not sure atm.
Stabled 2.7.11 on x86.
I think this one needs a GLSA update
Updated i GLSAmaker, awaiting review.
Looks OK except Resolution should read : # emerge --sync # emerge --ask --oneshot --verbose dev-python/mod_python
Fixed in GLSAmaker without version bump.
OK for me, clear to go.
Committed. Thx Stefan.