quetz-mod_python-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Martin (JIRA)" <j...@apache.org>
Subject [jira] Commented: (MODPYTHON-135) [SECURITY] A Security Issue with FileSession in 3.2.7
Date Fri, 09 Oct 2009 23:48:31 GMT

    [ https://issues.apache.org/jira/browse/MODPYTHON-135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12764257#action_12764257

Brian Martin commented on MODPYTHON-135:


> [SECURITY] A Security Issue with FileSession in 3.2.7
> -----------------------------------------------------
>                 Key: MODPYTHON-135
>                 URL: https://issues.apache.org/jira/browse/MODPYTHON-135
>             Project: mod_python
>          Issue Type: Bug
>          Components: session
>    Affects Versions: 3.2.7
>            Reporter: Graham Dumpleton
>            Assignee: Jim Gallacher
>             Fix For: 3.2.8, 3.3.1
> As announced on the mailing list:
>   http://www.modpython.org/pipermail/mod_python/2006-February/020284.html
> If you are using the recently released mod_python 3.2.7 please beware that a 
> security issue was discovered in the FileSession code.
> You are vulnerable only if you are using mod_python 3.2.7 AND you are using 
> FileSession to keep sessions. FileSession is new in 3.2.7 and is not enabled by 
> default, therefore if you are using mod_python Session in its default 
> configuration you are not vulnerable.
> The extent of this vulnerability is limited. Only a user who already has an 
> account (or some ability to write to the filesystem) on the system running 
> httpd could exploit it, and to the best of our knowledge such a user could 
> potentially cause httpd to execute arbitrary code.
> We are working on a security release of the next version of mod_python and 
> expect it to be out shortly. Until then, please do not use FileSession.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message