Graham Dumpleton discovered a flaw which can affect anyone using the
publisher handle of the Apache Software Foundation mod_python. The
publisher handle lets you publish objects inside modules to make them
callable via URL. The flaw allows a carefully crafted URL to obtain extra
information that should not be visible (information leak).
Gregory (Grisha) Trubetskoy gives this example:
For example, given a published module foo.py:
_secret_info = "BLAH"
return "Hello world!"
A request to http://yourhost/fo.py/hello would result in (as expected)
"Hello world!". _scret_info is inaccessible by the rules of the
publisher because it begins with an underscore.
Here is the problem. A request to
Would result in a slew of interesting info (too much to paste in here),
among them the name and value of _secret_info and other things such as
the full pathname of the file foo.py.
The fix (tennatively) is this patch to the publisher.py file. As a
super-quick hack perhaps dissalowing access to anything that contains
"func_" in the apache config may be the way to go.
Created attachment 110440 [details]
Patch to fix this issue.
This issue also affects RHEL2.1
Erratum queued as RHSA-2005:104.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.