|
|
|
 |
Vulnerability Note VU#356409mod_python vulnerable to information disclosure via crafted URLOverviewThe Apache mod_python module is vulnerable to unintended remote information disclosure using specially crafted URLs.I. DescriptionFrom the mod_python web page:Mod_python is an Apache module that embeds the Python interpreter within the server. With mod_python you can write web-based applications in Python that will run many times faster than traditional CGI and will have access to advanced features such as ability to retain database connections and other data between hits and access to Apache internals. The mod_python publisher, which allows Python module objects to be called in a URL, contains a subtle flaw in the request handling logic. Unintended information may be leaked by objects which are not meant to be visible. II. ImpactA remote attacker may be able to craft a URL to obtain script data and information which was not meant to be visible. This could include variable names and values, object data, and more.III. SolutionObtain updated packagesmod_python has released updated packages which do not contain this flaw:
For Apache 2.0: mod_python 3.0.4 (or later) These packages can be obtained from the mod_python download page. A proposed workaround is to set the Apache server to block URLs containing requests that begin with "func_". This is not a definitive solution and may also hinder normal operation of the server. Systems Affected
References
Thanks to Graham Dumpleton and RedHat for reporting this vulnerability. This document was written by Ken MacInnis.
If you have feedback, comments, or additional information about this vulnerability, please send us
email. |
||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Get Adobe Reader