[jira] Closed: (MODPYTHON-135) [SECURITY] A Security Issue with FileSession in 3.2.7
[ https://issues.apache.org/jira/browse/MODPYTHON-135?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Graham Dumpleton closed MODPYTHON-135. -- [SECURITY] A Security Issue with FileSession in 3.2.7 - Key: MODPYTHON-135 URL: https://issues.apache.org/jira/browse/MODPYTHON-135 Project: mod_python Issue Type: Bug Components: session Affects Versions: 3.2.7 Reporter: Graham Dumpleton Assigned To: Jim Gallacher Fix For: 3.3, 3.2.8 As announced on the mailing list: http://www.modpython.org/pipermail/mod_python/2006-February/020284.html If you are using the recently released mod_python 3.2.7 please beware that a security issue was discovered in the FileSession code. You are vulnerable only if you are using mod_python 3.2.7 AND you are using FileSession to keep sessions. FileSession is new in 3.2.7 and is not enabled by default, therefore if you are using mod_python Session in its default configuration you are not vulnerable. The extent of this vulnerability is limited. Only a user who already has an account (or some ability to write to the filesystem) on the system running httpd could exploit it, and to the best of our knowledge such a user could potentially cause httpd to execute arbitrary code. We are working on a security release of the next version of mod_python and expect it to be out shortly. Until then, please do not use FileSession. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Assigned: (MODPYTHON-135) [SECURITY] A Security Issue with FileSession in 3.2.7
[ http://issues.apache.org/jira/browse/MODPYTHON-135?page=all ] Jim Gallacher reassigned MODPYTHON-135: --- Assign To: Jim Gallacher [SECURITY] A Security Issue with FileSession in 3.2.7 - Key: MODPYTHON-135 URL: http://issues.apache.org/jira/browse/MODPYTHON-135 Project: mod_python Type: Bug Components: session Versions: 3.2 Reporter: Graham Dumpleton Assignee: Jim Gallacher As announced on the mailing list: http://www.modpython.org/pipermail/mod_python/2006-February/020284.html If you are using the recently released mod_python 3.2.7 please beware that a security issue was discovered in the FileSession code. You are vulnerable only if you are using mod_python 3.2.7 AND you are using FileSession to keep sessions. FileSession is new in 3.2.7 and is not enabled by default, therefore if you are using mod_python Session in its default configuration you are not vulnerable. The extent of this vulnerability is limited. Only a user who already has an account (or some ability to write to the filesystem) on the system running httpd could exploit it, and to the best of our knowledge such a user could potentially cause httpd to execute arbitrary code. We are working on a security release of the next version of mod_python and expect it to be out shortly. Until then, please do not use FileSession. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Created: (MODPYTHON-135) [SECURITY] A Security Issue with FileSession in 3.2.7
[SECURITY] A Security Issue with FileSession in 3.2.7 - Key: MODPYTHON-135 URL: http://issues.apache.org/jira/browse/MODPYTHON-135 Project: mod_python Type: Bug Components: session Versions: 3.2 Reporter: Graham Dumpleton As announced on the mailing list: http://www.modpython.org/pipermail/mod_python/2006-February/020284.html If you are using the recently released mod_python 3.2.7 please beware that a security issue was discovered in the FileSession code. You are vulnerable only if you are using mod_python 3.2.7 AND you are using FileSession to keep sessions. FileSession is new in 3.2.7 and is not enabled by default, therefore if you are using mod_python Session in its default configuration you are not vulnerable. The extent of this vulnerability is limited. Only a user who already has an account (or some ability to write to the filesystem) on the system running httpd could exploit it, and to the best of our knowledge such a user could potentially cause httpd to execute arbitrary code. We are working on a security release of the next version of mod_python and expect it to be out shortly. Until then, please do not use FileSession. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[SECURITY] A Security Issue with FileSession in 3.2.7
If you are using the recently released mod_python 3.2.7 please beware that a security issue was discovered in the FileSession code. You are vulnerable only if you are using mod_python 3.2.7 AND you are using FileSession to keep sessions. FileSession is new in 3.2.7 and is not enabled by default, therefore if you are using mod_python Session in its default configuration you are not vulnerable. The extent of this vulnerability is limited. Only a user who already has an account (or some ability to write to the filesystem) on the system running httpd could exploit it, and to the best of our knowledge such a user could potentially cause httpd to execute arbitrary code. We are working on a security release of the next version of mod_python and expect it to be out shortly. Until then, please do not use FileSession. Regards, Your mod_python team.
