*** This bug has been split off bug 146655 *** ------- Original comment by Josh Bressers (Security Response Team) on 2005.01.31 10:43 ------- Graham Dumpleton discovered a flaw which can affect anyone using the publisher handle of the Apache Software Foundation mod_python. The publisher handle lets you publish objects inside modules to make them callable via URL. The flaw allows a carefully crafted URL to obtain extra information that should not be visible (information leak). Gregory (Grisha) Trubetskoy gives this example: For example, given a published module foo.py: _secret_info = "BLAH" def hello(req): return "Hello world!" A request to http://yourhost/fo.py/hello would result in (as expected) "Hello world!". _scret_info is inaccessible by the rules of the publisher because it begins with an underscore. Here is the problem. A request to http://yourhost/foo.py/hello/func_globals Would result in a slew of interesting info (too much to paste in here), among them the name and value of _secret_info and other things such as the full pathname of the file foo.py. The fix (tennatively) is this patch to the publisher.py file. As a super-quick hack perhaps dissalowing access to anything that contains "func_" in the apache config may be the way to go. The patch for this issue is attachment 110440 [details].
This issue also affects FC2.
removing embargo
Fixed in FEDORA-2005-140, FEDORA-2005-139: http://www.redhat.com/archives/fedora-announce-list/2005-February/msg00038.html http://www.redhat.com/archives/fedora-announce-list/2005-February/msg00037.html