Apache Mod-Python - Created: (MODPYTHON-135) [SECURITY] A Security Issue with

This is Interesting: Free IT Magazines  
Home > Archive > Apache Mod-Python > February 2006 > Created: (MODPYTHON-135) [SECURITY] A Security Issue with





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Created: (MODPYTHON-135) [SECURITY] A Security Issue with
Graham Dumpleton (JIRA)

2006-02-17, 11:10 pm

[SECURITY] A Security Issue with FileSession in 3.2.7
-----------------------------------------------------

Key: MODPYTHON-135
URL: http://issues.apache.org/jira/browse/MODPYTHON-135
Project: mod_python
Type: Bug
Components: session
Versions: 3.2
Reporter: Graham Dumpleton


As announced on the mailing list:

http://www.modpython.org/pipermail/...ary/020284.html

If you are using the recently released mod_python 3.2.7 please beware that a
security issue was discovered in the FileSession code.

You are vulnerable only if you are using mod_python 3.2.7 AND you are using
FileSession to keep sessions. FileSession is new in 3.2.7 and is not enabled by
default, therefore if you are using mod_python Session in its default
configuration you are not vulnerable.

The extent of this vulnerability is limited. Only a user who already has an
account (or some ability to write to the filesystem) on the system running
httpd could exploit it, and to the best of our knowledge such a user could
potentially cause httpd to execute arbitrary code.

We are working on a security release of the next version of mod_python and
expect it to be out shortly. Until then, please do not use FileSession.


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com