[ http://issues.apache.org/jira/brows...ON-135?page=all ]

Graham Dumpleton updated MODPYTHON-135:
---------------------------------------

Fix Version: 3.2.8

Although fixed in 3.2.8, the fix for this still hasn't been applied to 3.3 t
runk.

> [SECURITY] A Security Issue with FileSession in 3.2.7
> -----------------------------------------------------
>
>          Key: MODPYTHON-135
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-135
>      Project: mod_python
>         Type: Bug
>   Components: session
>     Versions: 3.2.7
>     Reporter: Graham Dumpleton
>     Assignee: Jim Gallacher
>      Fix For: 3.2.8

>
> As announced on the mailing list:
>   http://www.modpython.org/pipermail/...ary/020284.html
> If you are using the recently released mod_python 3.2.7 please beware that
 a
> security issue was discovered in the FileSession code.
> You are vulnerable only if you are using mod_python 3.2.7 AND you are usin
g
> FileSession to keep sessions. FileSession is new in 3.2.7 and is not enabl
ed by
> default, therefore if you are using mod_python Session in its default
> configuration you are not vulnerable.
> The extent of this vulnerability is limited. Only a user who already has a
n
> account (or some ability to write to the filesystem) on the system running
> httpd could exploit it, and to the best of our knowledge such a user could
> potentially cause httpd to execute arbitrary code.
> We are working on a security release of the next version of mod_python and
> expect it to be out shortly. Until then, please do not use FileSession.

[ Post a follow-up to this message ]