*** This bug has been split off bug 146655 *** ------- Original comment by Josh Bressers (Security Response Team) on 2005.01.31 10:43 ------- Graham Dumpleton discovered a flaw which can affect anyone using the publisher handle of the Apache Software Foundation mod_python. The publisher handle lets you publish objects inside modules to make them callable via URL. The flaw allows a carefully crafted URL to obtain extra information that should not be visible (information leak). Gregory (Grisha) Trubetskoy gives this example: For example, given a published module foo.py: _secret_info = "BLAH" def hello(req): return "Hello world!" A request to http://yourhost/fo.py/hello would result in (as expected) "Hello world!". _scret_info is inaccessible by the rules of the publisher because it begins with an underscore. Here is the problem. A request to http://yourhost/foo.py/hello/func_globals Would result in a slew of interesting info (too much to paste in here), among them the name and value of _secret_info and other things such as the full pathname of the file foo.py. The fix (tennatively) is this patch to the publisher.py file. As a super-quick hack perhaps dissalowing access to anything that contains "func_" in the apache config may be the way to go. The patch for this issue is attachment 110440 [details].
Erratum queued as RHSA-2005:100.
removing embargo
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-100.html