[ https://issues.apache.org/jira/browse/MODPYTHON-135?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Graham Dumpleton closed MODPYTHON-135. -------------------------------------- > [SECURITY] A Security Issue with FileSession in 3.2.7 > ----------------------------------------------------- > > Key: MODPYTHON-135 > URL: https://issues.apache.org/jira/browse/MODPYTHON-135 > Project: mod_python > Issue Type: Bug > Components: session > Affects Versions: 3.2.7 > Reporter: Graham Dumpleton > Assigned To: Jim Gallacher > Fix For: 3.3, 3.2.8 > > > As announced on the mailing list: > http://www.modpython.org/pipermail/mod_python/2006-February/020284.html > If you are using the recently released mod_python 3.2.7 please beware that a > security issue was discovered in the FileSession code. > You are vulnerable only if you are using mod_python 3.2.7 AND you are using > FileSession to keep sessions. FileSession is new in 3.2.7 and is not enabled > by > default, therefore if you are using mod_python Session in its default > configuration you are not vulnerable. > The extent of this vulnerability is limited. Only a user who already has an > account (or some ability to write to the filesystem) on the system running > httpd could exploit it, and to the best of our knowledge such a user could > potentially cause httpd to execute arbitrary code. > We are working on a security release of the next version of mod_python and > expect it to be out shortly. Until then, please do not use FileSession. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.