|Summary:||CAN-2005-0088 mod_python information leak|
|Product:||Red Hat Enterprise Linux 3||Reporter:||Josh Bressers <bressers>|
|Component:||mod_python||Assignee:||Joe Orton <jorton>|
|Status:||CLOSED ERRATA||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2005-02-10 15:56:43 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Josh Bressers 2005-01-31 15:43:56 UTC
Graham Dumpleton discovered a flaw which can affect anyone using the publisher handle of the Apache Software Foundation mod_python. The publisher handle lets you publish objects inside modules to make them callable via URL. The flaw allows a carefully crafted URL to obtain extra information that should not be visible (information leak). Gregory (Grisha) Trubetskoy gives this example: For example, given a published module foo.py: _secret_info = "BLAH" def hello(req): return "Hello world!" A request to http://yourhost/fo.py/hello would result in (as expected) "Hello world!". _scret_info is inaccessible by the rules of the publisher because it begins with an underscore. Here is the problem. A request to http://yourhost/foo.py/hello/func_globals Would result in a slew of interesting info (too much to paste in here), among them the name and value of _secret_info and other things such as the full pathname of the file foo.py. The fix (tennatively) is this patch to the publisher.py file. As a super-quick hack perhaps dissalowing access to anything that contains "func_" in the apache config may be the way to go.
Comment 1 Josh Bressers 2005-01-31 15:43:56 UTC
Created attachment 110440 [details] Patch to fix this issue.
Comment 2 Josh Bressers 2005-01-31 15:52:18 UTC
This issue also affects RHEL2.1
Comment 3 Joe Orton 2005-02-02 15:52:33 UTC
Erratum queued as RHSA-2005:104.
Comment 4 Mark J. Cox 2005-02-10 13:59:08 UTC
Comment 5 Josh Bressers 2005-02-10 15:56:43 UTC
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-104.html