has identified a flaw in the standard XML-RPC server (the SimpleXMLRPCServer.py library module) included in Python 2.2 and later.
This email explains the nature of the flaw, ActiveState's recommendations on whether you should patch your systems urgently, and
how to do so.
You may also wish to consult the advisory from Python.org, available at:
http://www.python.org/security/PSF-2005-001/
Should you patch your system urgently? ======================================
ActiveState recommends that you do an immediate audit of ActivePython installations which expose XML-RPC servers built with SimpleXMLRPCServer.py to an untrusted network (such as the public internet). The flaw only affects Python XML-RPC servers that use the register_instance() method to register an object without a _dispatch() method. Servers using only register_function() are not affected.
Patching your system ====================
Updated builds of ActivePython will be made available as soon as possible. There is a simple workaround which can be put into place in the meantime, which simply requires replacing a single Python file in each affected Python installation.
1. Replace the existing SimpleXMLRPCServer.py file with the appropriate patched version.
* For ActivePython 2.2 (windows line endings): http://activestate.com/Products/ActivePython/python22/windows/SimpleXMLRPCServer.py
* For ActivePython 2.2 (unix line endings): http://activestate.com/Products/ActivePython/python22/unix/SimpleXMLRPCServer.py
* For ActivePython 2.3 or 2.4 (windows line endings): http://activestate.com/Products/ActivePython/python23/windows/SimpleXMLRPCServer.py
* For ActivePython 2.3 or 2.4 (unix line endings): http://activestate.com/Products/ActivePython/python23/windows/SimpleXMLRPCServer.py
These files have Windows line endings, but can be converted to Unix file endings easily if needed (they will work as is on Linux/Unix as well).
This file is installed in the lib directory of the Python
installation, such as:
* On Windows, typically in C:\Python23\Lib (or similar)
* On Linux, typically in
/usr/local/ActivePython-2.2/lib/python2.2/ or
/opt/ActivePython-2.3/lib/python2.3 (or similar)2. Remove any precompiled versions (called SimpleXMLRPCServer.pyo or SimpleXMLRPCServer.pyc). These will be regenerated automatically from the patched version as necessary.
3. Shutdown and restart your XML-RPC servers (instructions will depend on your programs).
Note that this patched version disables recursive traversal, potentially resulting in reduced functionality of XML-RPC applications depending on this feature.
Nature of the flaw ==================
On vulnerable XML-RPC servers, a remote attacker may be able to view or modify globals of the module(s) containing the registered instance's class(es), potentially leading to data loss or arbitrary code execution.
If the registered object is a module, the danger is particularly serious. For example, if the registered module imports the os module, an
attacker could invoke the os.system() function.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0089 to this issue.
When will new builds of ActivePython be available? ==================================================
We will be making new builds of ActivePython available as soon as possible. We will update the page at:
http://www.activestate.com/Products/ActivePython/advisory.plex
as they become available. Please feel free to contact us if you have further questions.
ActiveState Python Team
-- Trent Mick [EMAIL PROTECTED] _______________________________________________ ActivePython mailing list ActivePython@listserv.ActiveState.com To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs Other options: http://listserv.ActiveState.com/mailman/listinfo/ActivePython
