You are viewing a plain text version of this content. The canonical link for it is here.

Posted to mod_python-dev@quetz.apache.org by "Gregory (Grisha) Trubetskoy" <gr...@apache.org> on 2006/02/15 18:30:31 UTC

[SECURITY] A Security Issue with FileSession in 3.2.7

If you are using the recently released mod_python 3.2.7 please beware that a 
security issue was discovered in the FileSession code.

You are vulnerable only if you are using mod_python 3.2.7 AND you are using 
FileSession to keep sessions. FileSession is new in 3.2.7 and is not enabled by 
default, therefore if you are using mod_python Session in its default 
configuration you are not vulnerable.

The extent of this vulnerability is limited. Only a user who already has an 
account (or some ability to write to the filesystem) on the system running 
httpd could exploit it, and to the best of our knowledge such a user could 
potentially cause httpd to execute arbitrary code.

We are working on a security release of the next version of mod_python and 
expect it to be out shortly. Until then, please do not use FileSession.

Regards,

Your mod_python team.