[mod_python] publisher security concerns

Gregory (Grisha) Trubetskoy grisha at modpython.org
Wed Apr 10 10:56:06 EST 2002 

After a little bit of thinking, this looks like essentially a bug - the
Publisher (unlike the native mod_python handler) should not allow access
to files that are not in the directory which is being requested.

Another way to tackle it is require something like a __publish__ variable
to be defined inside the module, but I think that would be overkill.

This is obviously a serious security issue, so I will have to rush a
release out the door to fix it.

It seems that one can only (ab)use modules that already imported, and of
those only the ones that are native - but that in itself is already enough
to cause minial harm, e.g.:

http://website/some/path/os/makedirs?name=/tmp/hello

will create a direcroty "hello" in /tmp

I couldn't think of anything more harmful than this yet, but if someone
can come up with a more evil example, please e-mail me (off list perhaps).

Grisha



On Mon, 8 Apr 2002, Javier Quinteros wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Allan:
> ════════You're right and now..... Houston, Houston. We have a problem....
> Does anyone know how to solve this?
>
> On Monday 08 April 2002 19:05, Allan Saddi wrote:
> > I've found that this is only true when the module is loaded for
> > the first time. If the module is already loaded, regardless of
> > where it was loaded from, then you can access it via URL.
> >
> > For example, since publisher.py imports base64, you can call
> > functions within base64 via URL:
> >
> >   http://website/some/path/base64/encodestring?s=foobar
> >
> > And this actually works for me. (Using FreeBSD 4.5, Apache
> > 1.3.24, mod_python 2.7.6, Python 2.2)
> >
> > My .htaccess is simply:
> >
> >   PythonPath "['/some/directory', '/usr/local/lib/python2.2',
> > '/usr/local/lib/python2.2/lib-dynload',
> > '/usr/local/lib/python2.2/site-packages']" SetHandler python-program
> >   PythonHandler mod_python.publisher
> >   PythonDebug on
> >
> > - Allan
>
> - --
> - ---------------------------------
> Javier Quinteros
> jquinte at fadu.uba.ar
> SecretarМa de PlanificaciСn
> Universidad de Buenos Aires
> - ---------------------------------
> Existe un solo lugar donde el Norte y el Sur del mundo se enfrentan en
> igualdad de condiciones: es una cancha de fЗtbol de Brasil, en la
> desembocadura
> del rМo Amazonas. La lМnea del ecuador corta por la mitad el estadio Zerao, en
> AmapА, de modo que cada equipo juega un tiempo en el sur y otro tiempo en el
> norte.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE8siEcdBzRnlFl4cgRAuOiAKCqPxaDUL9KTi7BYLevQF9LDtynCQCgrj8Y
> kWv27tFfobuj7JnU1kfptXo=
> =L9NU
> -----END PGP SIGNATURE-----
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://www.modpython.org/mailman/listinfo/mod_python
>

More information about the Mod_python mailing list