[mod_python] restricting access to certainvariablesusingmod_python.publisher

Jorey Bump list at joreybump.com
Mon Mar 14 23:37:33 EST 2005


Graham Dumpleton wrote:

> I would be intrigued to know how you think you weren't affected at all
> by the object traversal bug which was fixed in 3.1.4 if you were using
> publisher. If you were exporting any function, or method of an object
> you would have potentially been affected even if your code was stored
> outside of the document tree.

Assuming you mean CAN-2005-0088, I was affected, but I ran the exploit 
and it exposed nothing of value.

> Are you still running 3.1.3 on your web site? 

No, I use 2.7.8 on my Debian Woody production servers, and it's been 
patched. My 3.1.x testing servers are up to date.

> If you are, care to tell me
> some URLs of exported methods in your web application so I can see what
> I can find. Your most private data may not have been exposed if you
> were indeed careful, but other internal data could still have been
> which should not have.

I can hear myself asking my boss, now: "There's a tenacious Australian 
bug hunter wants to probe our server..." :)


More information about the Mod_python mailing list