TurboGears users who have explicitly added CherryPy based sessions to their application are subject to an important security vulnerability.
Malicious users could create a specially crafted cookie that could delete files begining with your SESSION_PREFIX from your file system, add new files with that prefix, or overwrite files with the same prefix with arbitrary pickled python objects. All such users can re-secure their system by updating to CherryPy 2.3.0. Most TurboGears users are not vulnerable to this issue, and do not need to update their systems, you are only vulnerable if you have specifically enabled sessions with: sessionFilter.on = True in your configuration file. You can also search for calls to cherrypy.session in your application. If you find either of these things in your application you are potentially vulnerable, and should test your application with 2.3.0 which should be backwards compatible with your existing turbogears app. The easiest way to secure your application is to easy-install it via: easy_install -UZ "Cherrypy==2.3.0" You can use the "tg-admin info" to check what version of CherryPy you currently have installed. Please do this before you attempt to update, so that if anything goes wrong you can rollback to your earlier version of CherryPy with: easy_install "CherryPy==YourVersion" Once the update is complete, be sure to use "tg-admin" info again to assure that you are in fact up to date, and restart your server as necessary. We have released new versions of TurboGears, with this updated dependency. So, you can also upgrade TurboGears to 1.0.3.3 (the most recent stable version), or 1.0.4b5 (the most recent beta), and all new TurboGears installs will not be vulnerable, even if they do turn on cherrypy.session. -- Mark Ramm-Christensen email: mark at compoundthinking dot com blog: www.compoundthinking.com/blog -- Mark Ramm-Christensen email: mark at compoundthinking dot com blog: www.compoundthinking.com/blog --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
