You are viewing a plain text version of this content. The canonical link for it is here.
Posted to mod_python-dev@quetz.apache.org by "Graham Dumpleton (JIRA)" <ji...@apache.org> on 2007/04/11 13:30:35 UTC
[jira] Closed: (MODPYTHON-135) [SECURITY] A Security Issue with
FileSession in 3.2.7
[ https://issues.apache.org/jira/browse/MODPYTHON-135?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Graham Dumpleton closed MODPYTHON-135.
--------------------------------------
> [SECURITY] A Security Issue with FileSession in 3.2.7
> -----------------------------------------------------
>
> Key: MODPYTHON-135
> URL: https://issues.apache.org/jira/browse/MODPYTHON-135
> Project: mod_python
> Issue Type: Bug
> Components: session
> Affects Versions: 3.2.7
> Reporter: Graham Dumpleton
> Assigned To: Jim Gallacher
> Fix For: 3.3, 3.2.8
>
>
> As announced on the mailing list:
> http://www.modpython.org/pipermail/mod_python/2006-February/020284.html
> If you are using the recently released mod_python 3.2.7 please beware that a
> security issue was discovered in the FileSession code.
> You are vulnerable only if you are using mod_python 3.2.7 AND you are using
> FileSession to keep sessions. FileSession is new in 3.2.7 and is not enabled by
> default, therefore if you are using mod_python Session in its default
> configuration you are not vulnerable.
> The extent of this vulnerability is limited. Only a user who already has an
> account (or some ability to write to the filesystem) on the system running
> httpd could exploit it, and to the best of our knowledge such a user could
> potentially cause httpd to execute arbitrary code.
> We are working on a security release of the next version of mod_python and
> expect it to be out shortly. Until then, please do not use FileSession.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.