Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 80109 - dev-python/mod_python CAN-2005-0088 XML flaw
Summary: dev-python/mod_python CAN-2005-0088 XML flaw
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://archives.neohapsis.com/archive...
Whiteboard: A4? [glsaupdate] jaervosz
Keywords:
: 81827 83074 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-01-30 11:02 UTC by Sune Kloppenborg Jeppesen
Modified: 2005-12-13 11:36 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
publisher.diff (publisher.diff,1.42 KB, patch)
2005-01-30 22:28 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
publisher-2.diff (publisher-2.diff,1.35 KB, patch)
2005-02-09 02:44 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff
mod_python-3.1.3.ebuild (mod_python-3.1.3.ebuild,1.83 KB, text/plain)
2005-02-11 09:25 UTC, Rob Cakebread (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-01-30 11:02:38 UTC
Graham Dumpleton discovered a flaw which can affect anyone using the
publisher handle of the Apache Software Foundation mod_python.  The
publisher handle lets you publish objects inside modules to make them
callable via URL.  The flaw allows a carefully crafted URL to obtain extra
information that should not be visible (information leak).

Although this flaw is similar in nature to the Python issue bug #80094,
it has a lesser impact.
        The fix (tennatively) is this patch to the publisher.py file. As a 
        super-quick hack perhaps dissalowing access to anything that contains 
        "func_" in the apache config may be the way to go.

--- publisher.py.orig   Fri Jan 28 10:26:34 2005
+++ publisher.py        Fri Jan 28 10:33:22 2005
@@ -260,15 +260,31 @@
      (period) to find the last one we're looking for.
      """

-    for obj_str in  object_str.split('.'):
+    parts = object_str.split('.')
+
+    for n range(len(parts)):
+
          obj = getattr(obj, obj_str)
+        obj_type = type(obj)

-        # object cannot be a module
-        if type(obj) == ModuleType:
+        # object cannot be a module or a class
+        if obj_type in [ClassType, ModuleType]:
              raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND

-        realm, user, passwd = process_auth(req, obj, realm,
-                                           user, passwd)
+        if n < (len(parts)-1):
+
+            # all but the last object ...
+
+            # ...must be instance
+            if obj_type != InstanceType:
+                raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
+
+            # ...can't be callable
+            if callable(obj):
+                raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
+
+            realm, user, passwd = process_auth(req, obj, realm,
+                                               user, passwd)

      return obj
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-30 11:03:49 UTC
POC given but not oncluded on this bug.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-30 22:28:58 UTC
Created attachment 50028 [details, diff]
publisher.diff

Updated patch.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-02-09 02:44:56 UTC
Created attachment 50803 [details, diff]
publisher-2.diff

Better patch
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-02-11 02:49:53 UTC
This is public now. Python please provide an updated ebuild.
Comment 5 Rob Cakebread (RETIRED) gentoo-dev 2005-02-11 09:25:19 UTC
Created attachment 51011 [details]
mod_python-3.1.3.ebuild
Comment 6 Rob Cakebread (RETIRED) gentoo-dev 2005-02-11 11:46:35 UTC
Patched 3.1.3 and bumped it to 3.1.3-r1, added both to CVS
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2005-02-11 12:00:47 UTC
This one is ready for GLSA.
Comment 8 Elfyn McBratney (beu) (RETIRED) gentoo-dev 2005-02-13 00:04:36 UTC

*** This bug has been marked as a duplicate of 81827 ***
Comment 9 Elfyn McBratney (beu) (RETIRED) gentoo-dev 2005-02-13 00:09:45 UTC
Re-opening - again, so so sorry people. :/
Comment 10 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2005-02-13 00:15:49 UTC
*** Bug 81827 has been marked as a duplicate of this bug. ***
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2005-02-13 02:17:47 UTC
GLSA 200502-14
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-23 08:33:58 UTC
*** Bug 83074 has been marked as a duplicate of this bug. ***
Comment 13 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-07 06:50:46 UTC
Reopening after a 3/4 year ...
Someone please mark mod_python-2.7.11 stable on x86 as it suffers the same
vulnerability and all apache1 users need this one to be secure. We might have to
update the glsa later, not sure atm.
Comment 14 Bryan Østergaard (RETIRED) gentoo-dev 2005-12-10 15:44:16 UTC
Stabled 2.7.11 on x86.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-12-11 10:02:26 UTC
I think this one needs a GLSA update
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2005-12-12 22:31:46 UTC
Updated i GLSAmaker, awaiting review. 
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-12-13 05:53:38 UTC
Looks OK except Resolution should read :

# emerge --sync
# emerge --ask --oneshot --verbose dev-python/mod_python
Comment 18 Sune Kloppenborg Jeppesen gentoo-dev 2005-12-13 06:47:26 UTC
Fixed in GLSAmaker without version bump. 
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2005-12-13 09:41:58 UTC
OK for me, clear to go.
Comment 20 Sune Kloppenborg Jeppesen gentoo-dev 2005-12-13 11:36:53 UTC
Committed. 
 
Thx Stefan.