*** This bug has been split off bug 146655 ***
------- Original comment by Josh Bressers (Security Response Team) on 2005.01.31
Graham Dumpleton discovered a flaw which can affect anyone using the
publisher handle of the Apache Software Foundation mod_python. The
publisher handle lets you publish objects inside modules to make them
callable via URL. The flaw allows a carefully crafted URL to obtain extra
information that should not be visible (information leak).
Gregory (Grisha) Trubetskoy gives this example:
For example, given a published module foo.py:
_secret_info = "BLAH"
return "Hello world!"
A request to http://yourhost/fo.py/hello would result in (as expected)
"Hello world!". _scret_info is inaccessible by the rules of the
publisher because it begins with an underscore.
Here is the problem. A request to
Would result in a slew of interesting info (too much to paste in here),
among them the name and value of _secret_info and other things such as
the full pathname of the file foo.py.
The fix (tennatively) is this patch to the publisher.py file. As a
super-quick hack perhaps dissalowing access to anything that contains
"func_" in the apache config may be the way to go.
The patch for this issue is attachment 110440 [details].
Erratum queued as RHSA-2005:100.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.